JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware
A new threat actor tracked as JINX-0164 is targeting cryptocurrency firms with fake recruiter lures and custom macOS malware to steal digital assets and compromise CI/CD pipelines.
A previously undocumented threat actor, tracked as JINX-0164 by Wiz researchers, is actively targeting cryptocurrency organizations with a sophisticated campaign that combines recruitment-themed social engineering, custom macOS malware, and deep targeting of CI/CD infrastructure. The campaign, which has been active since at least mid-2025, aims to facilitate digital asset theft and has already resulted in at least one supply chain attack, according to a report published by Wiz on May 28, 2026.
The attack chain begins with the threat actor creating credible LinkedIn profiles to approach employees of cryptocurrency firms. The attackers pose as recruiters and offer a virtual meeting, sending a meeting invite that directs the target to a rogue domain masquerading as a legitimate teleconference provider. Once on the fake site, victims are tricked into downloading and installing a program that triggers the retrieval of a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX. The malware is delivered via a bash script hosted on a fake driver store domain, "apple.driver-store[.]com," and masquerades as a system audio driver named coreaudiod.
AUDIOFIX is a cross-platform payload compatible with both Intel and Apple Silicon systems. Once installed, it steals sensitive data from the compromised endpoint, including credentials from password managers, web browsers, and iCloud Keychain files; local admin credentials; SSH keys; configuration files; console history files; cryptocurrency browser extension information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions. The malware also supports commands for manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval from an external server.
Beyond initial compromise, JINX-0164 uses AUDIOFIX to move laterally from compromised employee laptops to internal code distribution systems and development infrastructure. By injecting the AUDIOFIX payload into CI/CD pipelines, the attackers can modify source code to compromise other endpoints and steal cryptocurrency wallet credentials. This deep targeting of development infrastructure represents a significant escalation from typical credential theft, as it allows the attackers to poison software supply chains and reach downstream victims.
Another key component of JINX-0164's arsenal is MiniRAT, a Go-based backdoor that was previously distributed via a compromised version of an npm package named @velora-dex/sdk, a legitimate DeFi toolkit used for token swaps and delta trading on the VeloraDEX decentralized exchange platform. According to details shared by SafeDep and StepSecurity, the poisoned npm package downloaded a shell script from a remote server, which then delivered a macOS-specific binary called MiniRAT. The malware is equipped to upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains.
While some aspects of the campaign—including the use of VPN services like Astrill VPN and the focus on cryptocurrency and developers—are reminiscent of North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069, Wiz researchers stated that there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage. "Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups," Wiz said.
The campaign highlights the growing sophistication of financially motivated threat actors targeting the cryptocurrency sector, particularly through supply chain attacks. By compromising developer machines and CI/CD pipelines, JINX-0164 can achieve broad impact with a single initial compromise. Organizations in the cryptocurrency space are advised to implement strict access controls for development infrastructure, monitor for suspicious recruitment-themed communications, and deploy endpoint detection and response solutions capable of identifying macOS malware like AUDIOFIX and MiniRAT.
Wiz's detailed analysis reveals Jinx-0164's macOS malware, Audiofix, masquerades as a system audio driver and harvests Keychain contents, browser credentials, SSH keys, cloud provider keys, and data from 51 cryptocurrency wallet extensions. The group also leverages harvested GitHub tokens to compromise victim CI/CD pipelines via the open-source tool nord-stream, injecting Audiofix into internal repositories under other developers' names to propagate infection through the build process. Additionally, on April 7, the actor trojanized version 4.9.1 of the npm package @velora-dex/sdk to deliver a second macOS backdoor called MINIRAT, and Wiz provided indicators of compromise and recommended enabling GitHub IP logging to detect the activity.