// latest
Recent Posts
The Axios Maintainer Post-Mortem Confirms UNC1069's Playbook
The axios maintainer's post-mortem confirms a compromise strikingly consistent with what we documented on UNC1069 months ago. The target has changed. The tradecraft hasn't.
New Site, Who Dis
Launching my new personal site, built with Astro and deployed on Cloudflare Pages.
UNC1069 and the Axios Supply Chain Attack
Our team at GTIG is releasing more details on the recent supply chain campaign targeting the popular NPM package axios, now attributed to North Korea-nexus UNC1069.
// publications
Research & Publications
North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts
Assessed Cyber Structure and Alignments of North Korea in 2023
Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack
// conferences
Talks & Presentations
// press & coverage
Media
- Cyber Magazine GTIG: How Did North Korean Hackers Compromise Axios? The impact of this attack is broad and has significant ripple effects, as countless other popular packages rely on axios as a dependency. 2026 is quickly shaping up to be the year of the supply chain.
- CyberSecurity Dive Axios open-source library targeted in sophisticated supply chain attack Anyone that pulled axios@1.14.1 or axios@1.30.4 could have unwittingly executed a backdoor payload using the malicious dependency.
- Infosecurity Magazine Hackers Hijack Axios NPM Package Austin urged security teams to check lockfiles, hunt for IOCs across developer machines and CI/CD infrastructure, and rotate credentials. GTIG attributed the activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018.
- Cyber Magazine DarkSword Spyware: Is Your iPhone Watching You? Since November 2025, commercial surveillance vendors and suspected state-sponsored actors have leveraged DarkSword in distinct campaigns. GTIG has uncovered an exploit chain that can exfiltrate data, take screenshots, and record voice from infected devices.
- TechCrunch Google says hackers stole data from 200 companies following Gainsight breach GTIG is aware of more than 200 potentially affected Salesforce instances following the Gainsight breach, with Scattered Lapsus$ / ShinyHunters claiming responsibility.
- Reuters Google says dozens of organizations affected by Oracle-linked hacking campaign Austin's team at GTIG tracked the Oracle E-Business Suite zero-day exploitation campaign, identifying dozens of victim organizations across multiple sectors and attributing the extortion operation to a financially motivated threat actor.
- 404 Media Suspected Snowflake Hacker Arrested in Canada Austin's investigation into UNC5537's sprawling Snowflake breach campaign helped build the evidence trail that culminated in the arrest of the suspected hacker in Canada.
- The Record CISA adds Chrome, open-source bugs Austin's Mandiant research into active exploitation of Ivanti and open-source vulnerabilities was cited as intelligence underpinning CISA's urgent advisory, which added the bugs to the Known Exploited Vulnerabilities catalog.
- SC Magazine Barracuda ESG hacks focused on China's high-priority targets Austin's investigation into UNC4841 revealed the campaign was laser-focused on China's highest-priority espionage targets, with intrusions at government and defense organizations across more than a dozen countries.
- BleepingComputer JumpCloud breach traced back to North Korean state hackers Austin assessed with high confidence that the JumpCloud intrusion was the work of a cryptocurrency-focused element within North Korea's Reconnaissance General Bureau, targeting companies with crypto verticals to steal credentials and conduct reconnaissance.
- TechTarget Chinese nation-state actor behind Barracuda ESG attacks Austin's research established UNC4841 as a China-nexus actor conducting government-directed espionage through the Barracuda ESG zero-day, one of the most aggressive email appliance campaigns Mandiant had ever tracked.