This pack covers ten intelligence items spanning four attack categories: unauthenticated remote code execution and authentication bypass in internet-facing web and enterprise applications (three CISA KEV-confirmed CVEs at CVSS 9.8), a China-aligned nation-state campaign deploying PlugX against EU/NATO diplomatic targets via OAuth abuse and living-off-the-land techniques, a Russia-linked ransomware operation with hybrid-warfare characteristics targeting European democratic institutions, and a cluster of supply-chain and OT/ICS vulnerabilities requiring prioritized remediation. Immediate attention is required for CVE-2026-27971 (Qwik RCE), CVE-2026-24477 (AnythingLLM credential exposure), and CVE-2025-71257 (BMC FootPrints auth bypass), all confirmed actively exploited and on CISA KEV. The TA416 diplomatic targeting campaign represents the highest-sophistication persistent threat in this pack and requires identity governance and cloud monitoring controls beyond standard patching.