The multi-vector campaign item (priority 0.55, CVSS 9.5) spans 43 CVEs across Google Chrome, Veeam Backup & Replication, SAP, Nginx UI, K7 Ultimate Security, Intego X9, pac4j-jwt, HPE Aruba AOS-CX, PostgreSQL, WordPress plugins, Gogs, Cloudflare Pingora, Apache ZooKeeper, SGLang, Palo Alto Cortex XDR Broker VM, Cisco IOS XR, graphql-upload-minimal, OpenSSH, Microsoft Authenticator, CUPS, AWS S3, Asus routers, and others; individual CVE details for the majority of listed identifiers were not independently enriched in the source data and should be verified against NVD before prioritization. The campaign additionally encompasses a confirmed malicious nx npm supply chain package enabling AWS credential theft and two SOHO router botnets (AVrecon, SocksEscort) used as residential proxy infrastructure. Organizations should audit CI/CD pipelines for nx package versions published on or after August 2025, rotate any exposed AWS credentials, apply latest firmware to Asus and SOHO edge devices, and verify NVD for patch status of each listed CVE against their installed product inventory.