CrowdStrike says China-nexus adversaries drove more than 58% of state-sponsored targeted intrusions against the technology sector between April 1, 2025 and March 31, 2026, as attackers focused on AI capabilities, intellectual property and downstream access into enterprise customers.
The finding comes from CrowdStrike’s 2026 Technology Threat Landscape Report, which covers companies involved in computer hardware and technology, IT services and consulting, semiconductors and software.
The report says technology entities accounted for 20% of all observed interactive intrusions in Q1 2026, seeing 26% more hands-on-keyboard intrusions than consulting and professional services, the second-most-targeted sector.
Targeting AI capabilities and downstream access
CrowdStrike named MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA and WARP PANDA among the China-nexus groups most active against technology companies. Its report says those operations align with Chinese government priorities around technology development, intellectual property and information with strategic and economic value.
The China-nexus activity also extends beyond direct IP theft. CrowdStrike wrote that China-linked adversaries seek access to downstream customer environments that can enable supply-chain compromise, making technology providers valuable not only for what they build, but for the enterprise networks they connect to.
“Technology organizations are building the most valuable and most targeted assets in the world. Every AI breakthrough creates a competitive advantage and new attack surface at the same time,” said Adam Meyers, head of counter adversary operations at CrowdStrike.
“China runs cyberespionage as industrial policy to try to close the AI innovation gap, demonstrating that AI capabilities are the prize adversaries are after.”
The report’s state-sponsored picture is not limited to China. In the report’s state-nexus breakdown, China-linked groups accounted for 58.5% of state-sponsored targeted intrusions against technology entities, followed by DPRK-nexus actors at 22%, Iran-nexus actors at 14.6% and Russia-nexus actors at 4.9%.
CrowdStrike said that breakdown excludes FAMOUS CHOLLIMA operations because their volume would disproportionately skew the dataset. North America-based technology organizations saw the highest level of targeting, accounting for 45% of all hands-on-keyboard intrusions against the sector.
A spokesperson for the Chinese Embassy in Washington told Reuters that “China opposes hacking activities and fights such activities in accordance with the law,” and rejected “vilification and smears under the pretext of cybersecurity.”
North Korean actors infiltrate via remote IT roles
DPRK activity followed a different pattern. CrowdStrike said FAMOUS CHOLLIMA used AI-enhanced personas and U.S. front companies to obtain remote IT roles inside technology firms, accounting for 47% of all state-sponsored interactive intrusions against the sector.
That finding lines up with earlier U.S. government warnings. The FBI said in January 2025 that North Korean IT workers had used unlawful network access to exfiltrate proprietary and sensitive data, support cybercriminal activity and generate revenue for the regime. The Justice Department said in June 2025 that North Korean actors had fraudulently obtained remote IT work at more than 100 U.S. companies using stolen and fake identities with help from facilitators in the U.S., China, the United Arab Emirates and Taiwan.
“North Korean IT workers defraud American companies and steal the identities of private citizens, all in support of the North Korean regime,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in the Justice Department release.\
eCrime drives the majority of hands-on attacks
Financially motivated actors still represented the larger share of hands-on activity. CrowdStrike said eCrime made up 65% of hands-on-keyboard operations against technology companies. Initial access brokers advertised access to 277 technology organizations, a nearly 30% increase, while big game hunting actors named 572 technology entities on dedicated leak sites for extortion.
Poisoning developer tools and code repositories
Developer infrastructure was another route into technology companies and their customers. CrowdStrike said STARDUST CHOLLIMA compromised the Axios npm package, which it described as downloaded 100 million times per week.
Separately, an unknown actor operating Glassworm malware compromised 350 GitHub repositories to inject malicious code into JavaScript and Python projects.
In a May blog post, CrowdStrike detailed how Glassworm targeted software developers through OpenVSX extensions, npm and Python packages and poisoned GitHub repositories using stolen developer credentials. The company said it worked with Google and the Shadowserver Foundation to disrupt Glassworm’s command-and-control infrastructure on May 26.
Defending the technology attack surface
For enterprise security teams, the report links technology-sector risk to identity controls, software supply-chain governance and AI security. The cited pathways include model and IP theft, remote-worker infiltration, access-broker sales, poisoned dependencies and compromised repositories.
Those pathways touch hiring checks, contractor oversight, privileged access, package governance, CI/CD controls and customer-facing software risk.