Google Threat Intelligence Group (GTIG)
Google/Mandiant's threat-intelligence division; attributed the Axios supply-chain attack to North Korea's UNC1069.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Why did it take GTIG 35 days to find WAVESHAPER.V2 inside one of npm's most-downloaded packages?
Timeline for Google Threat Intelligence Group (GTIG)
CSIS calls for operational US-ROK cyber alliance
Cybersecurity: Threats and DefencesDisclosed UNC1069's Axios npm compromise and named the WAVESHAPER.V2 implant
Cybersecurity: Threats and Defences: UNC1069 planted WAVESHAPER.V2 in Axios via maintainer phishing- What is Google Threat Intelligence Group and how is it different from Mandiant?
- GTIG is the combined threat-intelligence Arm of Google, incorporating Mandiant after Google's $5.4 billion acquisition in 2022. Mandiant still operates under its own brand for some commercial services; GTIG covers Google's threat research and government intelligence work.
- Who is UNC1069 and is it North Korea?
- UNC1069 is a GTIG designation for a North Korea-nexus intrusion cluster. 'UNC' means the cluster has not yet met Mandiant's full attribution threshold for an APT number. GTIG attributes the Axios supply-chain attack to UNC1069.Source: GTIG
- How did Google detect the Axios npm package backdoor?
- GTIG disclosed the compromise on 5 May 2026, 35 days after UNC1069 injected WAVESHAPER.V2 into Axios v1.14.1 and v0.30.4 on 31 March. The detection mechanism was not fully described publicly.Source: GTIG
Background
Google Threat Intelligence Group (GTIG) is the combined threat-intelligence division of Google, incorporating the Mandiant team acquired by Google in 2022 for approximately $5.4 billion. In May 2026, GTIG disclosed that North Korea-nexus actor UNC1069 had compromised the Axios npm package maintainer on 31 March 2026, planting the WAVESHAPER.V2 backdoor in package versions with a combined 183 million weekly downloads.
GTIG conducts original threat research, manages Google's own threat-intelligence pipeline, and publishes attribution of state-sponsored campaigns. The Mandiant heritage gives the group deep incident-response expertise and one of the longest-running nation-state tracking programmes in the industry; UNC designations ("Uncategorised") are Mandiant's naming convention for clusters that have not yet met the threshold for full APT attribution. UNC1069 is assessed as North Korea-nexus but has not received a confirmed APT number.
The GTIG disclosure — 35 days after the injection — came through coordinated disclosure with npm maintainers and Microsoft (via GitHub's npm infrastructure). GTIG's role as both a government threat-intelligence contractor and a commercial entity operating major internet infrastructure (Google Search, Gmail, Chrome) gives it unusual access to supply-chain telemetry that purely commercial security vendors cannot replicate.