CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against tech sector
CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry.
At a glance
- CrowdStrike's 2026 Technology Threat Landscape Report, published June 9, 2026, covers April 1, 2025 to March 31, 2026
- China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector, the most-targeted industry globally
- MURKY PANDA password-spraying campaign impacted more than 340 U.S.-based entities
- DPRK-linked FAMOUS CHOLLIMA accounted for 47% of state-sponsored interactive intrusions
- STARDUST CHOLLIMA compromised the Axios npm package, downloaded about 100 million times per week
VERDICT — CONFIRMED
CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry globally — over the report's April 1, 2025 to March 31, 2026 window, with campaigns focused on stealing AI capabilities and intellectual property. Adam Meyers, CrowdStrike's head of counter adversary operations, said 'China runs cyber espionage as industrial policy to close the AI innovation gap,' telling Reuters that 'there is an AI arms race occurring between the U.S. and China, and China intends to achieve global dominance by 2030.' Key findings include: MURKY PANDA password-spraying affecting more than 340 U.S.-based entities; North Korea's FAMOUS CHOLLIMA accounting for 47% of state-sponsored interactive intrusions, largely via fraudulent IT-worker schemes funneling salaries to Pyongyang; STARDUST CHOLLIMA's compromise of the Axios npm package, downloaded roughly 100 million times per week; initial access brokers advertising access to 277 technology organizations, a nearly 30% increase; and 572 technology entities named on ransomware leak sites for extortion.
Financially motivated attacks comprised 65% of all interactive operations, and 350 GitHub repositories were compromised before the Glassworm botnet disruption. Reuters carried the findings on June 10.
Why it matters
the report quantifies state-directed AI-model and IP theft as the dominant espionage driver, hardening the evidentiary base for U.S. policy responses after the White House's April accusation of 'industrial-scale' model distillation by China-based entities.
Update log · verification desk
Key facts on file
- CrowdStrike's 2026 Technology Threat Landscape Report, published June 9, 2026, covers April 1, 2025 to March 31, 2026
- China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector, the most-targeted industry globally
- MURKY PANDA password-spraying campaign impacted more than 340 U.S.-based entities
- DPRK-linked FAMOUS CHOLLIMA accounted for 47% of state-sponsored interactive intrusions
- STARDUST CHOLLIMA compromised the Axios npm package, downloaded about 100 million times per week
- Initial access brokers advertised access to 277 technology organizations (up nearly 30%); 572 tech entities named on extortion leak sites
- Adam Meyers: 'China runs cyber espionage as industrial policy to close the AI innovation gap'


