Five non-CVE items describe active threat activity with broad organizational relevance: ransomware campaigns disrupting U.S. healthcare and municipal government (SCC-CAM-2026-0104, critical); Bubble.io no-code platform abuse for Microsoft 365 credential harvesting via AI-obfuscated Shadow DOM phishing (SCC-CAM-2026-0105, high); the University of Hawaii Cancer Center ransomware breach exposing 1.2 million records with HIPAA notification implications (SCC-DBR-2026-0061, high); a third-party vendor breach at Crunchyroll exposing up to 6.8 million user records with supply chain access control implications (SCC-DBR-2026-0062, high); and the Akira RaaS group actively targeting legal and professional services organizations (SCC-TAC-2026-0003, high). Common defensive priorities across all five items include enforcing MFA on all remote access points, validating backup integrity, auditing third-party vendor access controls, and ensuring incident response playbooks and retainers are current.