
Google Threat Intelligence Group (GTIG)
Google/Mandiant's threat-intelligence division; attributed the Axios supply-chain attack to North Korea's UNC1069.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Why did it take GTIG 35 days to find WAVESHAPER.V2 inside one of npm's most-downloaded packages?
Timeline for Google Threat Intelligence Group (GTIG)
Tracked and attributed UNC6780 as the operator behind the GitHub breach
Cybersecurity: Threats and Defences: GitHub's own code cloned via add-onMentioned in: UNC6780 takes Cisco AI Defense source code
Cybersecurity: Threats and DefencesMentioned in: GTIG names the first LLM-written working zero-day
Cybersecurity: Threats and DefencesMentioned in: UNC1069 expands the npm WAVESHAPER supply chain
Cybersecurity: Threats and DefencesMentioned in: LiteLLM SQL injection hits in 36 hours
Cybersecurity: Threats and DefencesWhat is Google Threat Intelligence Group and how is it different from Mandiant?
Who is UNC1069 and is it North Korea?
How did Google detect the Axios npm package backdoor?
Background
Google Threat Intelligence Group (GTIG) is the combined threat-intelligence division of Google, incorporating the Mandiant team acquired by Google in 2022 for approximately $5.4 billion. In May 2026, GTIG disclosed that North Korea-nexus actor UNC1069 had compromised the Axios npm package maintainer on 31 March 2026, planting the WAVESHAPER.V2 backdoor in package versions with a combined 183 million weekly downloads.
GTIG conducts original threat research, manages Google's own threat-intelligence pipeline, and publishes attribution of state-sponsored campaigns. The Mandiant heritage gives the group deep incident-response expertise and one of the longest-running nation-state tracking programmes in the industry; UNC designations ("Uncategorised") are Mandiant's naming convention for clusters that have not yet met the threshold for full APT attribution. UNC1069 is assessed as North Korea-nexus but has not received a confirmed APT number.
The GTIG disclosure — 35 days after the injection — came through coordinated disclosure with npm maintainers and Microsoft (via GitHub's npm infrastructure). GTIG's role as both a government threat-intelligence contractor and a commercial entity operating major internet infrastructure (Google Search, Gmail, Chrome) gives it unusual access to supply-chain telemetry that purely commercial security vendors cannot replicate.