CrowdStrike observed DPRK-linked FAMOUS CHOLLIMA, LABYRINTH CHOLLIMA, and STARDUST CHOLLIMA targeting the technology sector during the April 2025-March 2026 reporting period. FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard operations against technology organizations, driven by fraudulent IT worker infiltration campaigns seeking remote employment across North America, Europe, and Asia for regime revenue. STARDUST CHOLLIMA also pursued supply chain compromise by compromising the widely used Axios npm package, likely exposing millions of downstream users.