CrowdStrike 2026 Technology Threat Landscape Report

annual-report · annual-report:crowdstrike-tech-threat-landscape-2026 SINGLE-SOURCE

Coverage timeline

first 2026-06-11 → last 2026-06-11

Briefs

1 distinct

Sources cited

9 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-06-11CTI Daily Brief — 2026-06-11
researchPD-9 one-treatment. China-nexus 58% of state-sponsored tech intrusions; FAMOUS CHOLLIMA 47% hands-on-keyboard; axios npm claim flagged single-source.

Where this entity is cited

research1

Source distribution

crowdstrike.com4 (31%)
theregister.com2 (15%)
techcrunch.com1 (8%)
thehackernews.com1 (8%)
helpnetsecurity.com1 (8%)
infosecurity-magazine.com1 (8%)
insidehighered.com1 (8%)
sophos.com1 (8%)
other1 (8%)

Related entities

actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
incidentitem:actions-cool-issues-helper-github-action-compromised-53-tag×1
EU 20th Russia sanctions package — managed-security-services prohibition (eff. 25 May 2026); Switzerland adopted most measures 22 May
policypolicy:eu-20th-russia-sanctions-mss-prohibition-2026×1
GlassWorm developer-targeting botnet — all four C2 channels (Solana / BitTorrent DHT / Google Calendar / VPS) severed simultaneously by CrowdStrike / Google / Shadowserver
campaignitem:glassworm-developer-botnet-takedown-crowdstrike-google-shadowserver-russia-attributed×1
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
annual-reportannual-report:gtig-europe-2025×1
Nx Console VS Code extension 18.95.0 compromised — stolen publisher credentials; 11-minute window 2026-05-18 12:36-12:47 UTC; multi-channel stealer + macOS Python backdoor
incidentitem:nx-console-vs-code-extension-18-95-0-compromised-stolen-publ×1

All cited sources (13)

Items in briefs about CrowdStrike 2026 Technology Threat Landscape Report (2)

ANNUAL REPORT [SINGLE-SOURCE] — CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector

From CTI Daily Brief — 2026-06-11 · published 2026-06-11 · view item permalink →

CrowdStrike published its 2026 Technology Threat Landscape Report on 9 June 2026 (CrowdStrike, 2026-06-09). The findings most relevant to a Swiss/EU public-sector SOC running AI and cloud DevOps infrastructure: China-nexus adversaries (named clusters include MURKY PANDA, MUSTANG PANDA and WARP PANDA) drove more than 58% of state-sponsored intrusions against the technology sector, focused on AI capabilities, training data, ML infrastructure and semiconductor IP; and DPRK-nexus FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard activity through IT-worker infiltration using AI-enhanced personas and front companies across North America, Europe and Asia. The report frames AI/ML development pipelines and model weights as espionage targets warranting the same protection as source code and credentials. CrowdStrike also names a compromise of the axios npm package as part of a DPRK-linked supply-chain operation — a notable claim, but in this run only CrowdStrike asserts it, so treat the axios element as single-source pending independent corroboration.

CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025

From CTI Daily Brief — 2026-05-28 · published 2026-05-28 · view item permalink →

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Defender takeaway: the takedown sinkholes existing C2 but does not remediate the infected developer endpoints. Treat every workstation that installed an affected VS Code / Cursor / Windsurf extension between early 2025 and 2026-05-26 as potentially compromised; rotate every CI/CD secret, cloud credential, and GitHub PAT accessible from that host. Hunt: enumerate the org's installed VS Code extension inventory against the published OpenVSX extension allowlist; correlate with developer-endpoint outbound WebRTC connections from node.exe parents.