CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks
The CrowdStrike 2026 Technology Threat Landscape Report highlights that the technology sector remains the primary target for both state-sponsored and eCrime adversaries. China-nexus actors focus on intellectual property theft and AI capabilities, while DPRK-nexus actors leverage fraudulent employment and open-source supply chain compromises (such as the Axios npm package). Additionally, eCrime groups are accelerating extortion operations and exploiting AI trends to distribute malware like macOS infostealers.
- npm_packageaxiosLegitimate npm package compromised by STARDUST CHOLLIMA to poison open-source supply chains.
Detection / HunterGoogle
What Happened
Cybercriminals and nation-state hackers are heavily targeting technology companies to steal intellectual property, artificial intelligence research, and money. Hackers from China are primarily trying to steal advanced tech secrets, while North Korean hackers are getting fake jobs at tech companies to secretly send salaries back to their regime. Criminal groups are also holding tech companies' data for ransom and sneaking malicious code into popular software building blocks. Organizations should strengthen their hiring verification processes, monitor their software supply chains, and stay alert for fake AI-related software downloads.
Key Takeaways
- China-nexus adversaries account for over 58% of state-sponsored targeted intrusions in the tech sector, focusing on AI capabilities and intellectual property.
- DPRK actors, such as FAMOUS CHOLLIMA, heavily utilize insider threats via fraudulent employment to generate revenue for their regime.
- Supply chain attacks remain a critical threat, highlighted by STARDUST CHOLLIMA's compromise of the widely used Axios npm package.
- eCrime extortion against tech entities is surging, with 572 organizations named on dedicated leak sites.
- Threat actors are leveraging AI themes (e.g., OpenClaw lures) to distribute new macOS information stealers.
Affected Systems
- macOS
- GitHub repositories
- npm ecosystem
- Technology sector organizations
Attack Chain
Adversaries gain initial access through various means, including password spraying (MURKY PANDA), fraudulent employment (FAMOUS CHOLLIMA), and exploiting vulnerabilities. Once inside, they maintain persistence and target high-value assets like AI research, intellectual property, or source code repositories. Some actors pivot to supply chain compromise by injecting malicious code into widely used open-source packages (e.g., Axios) or GitHub repositories (Glassworm). Finally, eCrime actors exfiltrate data and utilize dedicated leak sites to extort the victim organizations.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides strategic threat intelligence and behavioral trends but does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect malware execution (like the macOS infostealer or Glassworm) and anomalous behavior from compromised accounts, but may struggle with insider threats using legitimate access. Network Visibility: Medium — Network monitoring can identify connections to known extortion leak sites or anomalous data exfiltration, but supply chain compromises via legitimate channels (like npm) blend in with normal traffic. Detection Difficulty: Hard — Detecting fraudulent employment and sophisticated supply chain compromises requires cross-departmental coordination (HR and IT) and deep inspection of open-source dependencies.
Required Log Sources
- Authentication logs
- Endpoint process execution logs
- Network flow logs
- HR/Identity verification logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous authentication patterns, such as password spraying attempts from single or rotating IPs against multiple user accounts. | Authentication logs | Initial Access | Medium |
| If you have visibility into developer environments, consider hunting for unexpected modifications to source code repositories or unusual npm package installations. | CI/CD logs, Endpoint process execution logs | Persistence / Supply Chain Compromise | High |
| Consider hunting for anomalous remote access logins originating from unexpected geographic locations, which may indicate fraudulent IT worker activity. | VPN/Authentication logs | Initial Access / Persistence | Medium |
Control Gaps
- Identity verification during remote hiring
- Software composition analysis (SCA) for open-source dependencies
Key Behavioral Indicators
- Multiple failed login attempts across different accounts from the same source
- Unexpected code commits or dependency changes in CI/CD pipelines
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Audit existing open-source dependencies, particularly the Axios npm package, for signs of compromise or unexpected version changes.
Infrastructure Hardening
- Implement strict identity verification and background checks for remote hires to mitigate DPRK insider threats.
- Enforce multi-factor authentication (MFA) and monitor for password spraying attacks against external-facing infrastructure.
User Protection
- Deploy macOS-compatible endpoint protection to detect and block emerging information stealers.
- Restrict access to sensitive source code repositories using role-based access control (RBAC) and require signed commits.
Security Awareness
- Educate developers on the risks of downloading software or tools from unverified sources, especially those using AI-themed lures (e.g., OpenClaw).
- Train HR and recruiting teams to identify red flags in remote job applications and interviews.
MITRE ATT&CK Mapping
- T1110.003 - Brute Force: Password Spraying
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1078 - Valid Accounts
- T1567 - Exfiltration Over Web Service
- T1566.002 - Phishing: Spearphishing Link
