A newly identified threat actor, tracked as JINX-0164, is actively targeting cryptocurrency organizations using sophisticated recruitment-themed social engineering and custom macOS malware designed to steal digital assets and compromise development infrastructure.
Active since at least mid-2025, JINX-0164 is assessed as financially motivated and has already demonstrated the capability to execute supply chain attacks, according to researchers at Wiz. The actor leverages credible LinkedIn profiles to approach developer targets, initiating contact under the guise of recruitment.
Attack Chain and Payload Delivery
The initial lure involves a virtual meeting invitation that directs the victim to a rogue domain impersonating a legitimate teleconference provider. From there, targets are tricked into downloading and executing a malicious file disguised as a meeting client.
This action triggers a bash script hosted on a fake driver store domain, which retrieves a Python-based macOS infostealer and remote access trojan dubbed AUDIOFIX. The malware is architecture-aware, compatible with both Intel and Apple Silicon systems, and masquerades as a system audio driver named coreaudiod before being executed via launchctl.
Lateral Movement and Data Exfiltration
Once installed, AUDIOFIX enables the threat actor to steal sensitive data including credentials from password managers, web browsers, and iCloud Keychain files. The malware also targets SSH keys, configuration files, console history, cryptocurrency browser extension data, wallet addresses, and active Discord, Slack, and Telegram sessions.
Beyond information theft, the malware supports commands for manual reconnaissance, arbitrary shell execution, file deletion, and payload retrieval from external servers. Critically, JINX-0164 uses this foothold to move laterally into internal CI/CD pipelines and code distribution systems, injecting the AUDIOFIX payload to compromise additional endpoints and modify source code.
Implications for Enterprise Security
This campaign underscores the evolving sophistication of social engineering attacks targeting high-value cryptocurrency and development teams. The actor’s demonstrated ability to pivot from endpoint compromise to supply chain infiltration represents a significant escalation in the threat landscape.
For organizations in the cryptocurrency sector, this campaign reinforces the need for rigorous verification of recruitment communications, endpoint detection for macOS-specific threats, and strict access controls on CI/CD infrastructure. As JINX-0164 continues to refine its techniques, enterprises must treat recruitment lures as a credible and active attack vector rather than a low-probability nuisance.
— Originally reported by The Hacker News. Adapted and republished with editorial context for MacThreat.
![PSA: A security breach means you must update the ChatGPT Mac app [U]](https://macthreat.com/wp-content/uploads/2026/06/psa-a-security-breach-means-you-must-update-the-chatgpt-mac-1780416310-330x220.jpg)
