.webp)
CrowdStrike has published its 2026 Technology Threat Landscape Report, which identifies technology as the world's most targeted industry.
China-linked adversaries were responsible for more than 58% of state-sponsored targeted intrusions against the sector, as attackers sought access to artificial intelligence-related assets and intellectual property held by technology companies.
The analysis drew on intelligence from CrowdStrike's Counter Adversary Operations team, which tracks more than 280 named adversaries. It found pressure from state-backed groups, North Korean operators and financially motivated cybercriminals, all targeting technology companies for different reasons.
Among the China-linked groups named were MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA and WARP PANDA. MURKY PANDA was identified as carrying out a password-spraying campaign that affected more than 340 US-based entities.
The report describes a broad contest for access to AI research, data and software development environments. It argues that the concentration of valuable AI assets inside technology companies has made the sector a priority target for espionage, fraud and extortion.
State actors
North Korea-linked activity was another major part of the findings. CrowdStrike said FAMOUS CHOLLIMA used AI-enhanced personas and US front companies to secure remote IT jobs inside technology firms, accounting for 47% of all state-sponsored interactive intrusions against the sector.
According to the report, these operations were intended to channel illicit revenue to the regime's weapons programmes. The use of AI tools in the schemes also points to a shift in how threat actors present false identities and gain trusted access to corporate systems.
Financially motivated attacks made up an even larger share of activity, accounting for 65% of all interactive operations against the technology sector.
Initial access brokers advertised access to 277 technology organisations, an increase of nearly 30%, according to the report. It also found that so-called big game hunting adversaries named 572 technology entities on dedicated leak sites used for extortion.
Developer targets
The report also highlighted attacks on software supply chains and developer tools. CrowdStrike said STARDUST CHOLLIMA compromised the Axios NPM package, which it said is downloaded 100 million times a week, creating possible exposure for large numbers of downstream users.
In a separate case, malware operators compromised 350 GitHub repositories to inject malicious code into JavaScript and Python projects before the Glassworm botnet was disrupted. These operations targeted software development ecosystems rather than individual end users, underlining how attackers are moving further upstream.
Another trend identified in the report was the use of AI by criminal groups to accelerate attacks. Adversaries used AI-generated scripts to dump credentials and erase forensic evidence quickly, reducing the time available for defenders to detect and respond.
Outside corporate networks, attackers also exploited growing public interest in AI tools. The report said criminals distributed a macOS information stealer known as Skrawl through fake OpenClaw extensions and counterfeit download sites impersonating legitimate AI products.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, said the findings reflected the value of assets held by technology companies.
"Technology organisations are building the most valuable and most targeted assets in the world. Every AI breakthrough creates a competitive advantage and new attack surface at the same time," Meyers said.
He said the report showed a direct link between geopolitical competition and cyber activity.
"China runs cyberespionage as industrial policy to try to close the AI innovation gap, demonstrating that AI capabilities are the prize adversaries are after. Whether you're building AI or adopting it, security has to be built in from the start," Meyers said.
The findings add to wider concern across the technology industry over the security of AI systems, developer environments and remote hiring processes, as attackers pursue both strategic intelligence and financial gain through the same broad set of digital targets.