JINX-0164 (a previously undocumented threat actor first identified by Wiz researchers in May 2026) is actively targeting cryptocurrency organizations and blockchain developers using fake LinkedIn recruiter lures, two purpose-built macOS malware families — AUDIOFIX and MINIRAT — and a CI/CD pipeline poisoning technique that turns compromised developer workstations into supply chain entry points. The campaign has been active since at least mid-2025 and remains ongoing as of this writing.
// 01 JINX-0164: Technical Details and Attack Chain
JINX-0164 begins its attack with a convincing LinkedIn message from a fake recruiter profile. The target — typically a software developer, DevOps engineer, or blockchain developer at a cryptocurrency firm — receives a plausible job offer and is invited to a virtual technical interview. The meeting link directs them to a lookalike conferencing domain impersonating Microsoft Teams or another collaboration platform. Observed lookalike domains include teamicrosoft[.]com, bitget-meeting[.]com, and us03-slack[.]online.
During the fake meeting, a fabricated technical error appears — typically an audio or display problem. The victim is instructed to download a "fix," which is a bash dropper script that silently fetches AUDIOFIX from apple.driver-store[.]com. The script name and delivery domain are designed to resemble a legitimate macOS audio driver update from Apple — a plausible scenario for a developer who just accepted a random video call invite.
AUDIOFIX is a Python-compiled macOS infostealer and RAT (Remote Access Trojan — malware that grants an attacker persistent remote access to an infected machine). It supports both Intel (x86_64) and Apple Silicon (ARM64) architectures, masquerades as the system process coreaudiod (macOS's Core Audio daemon responsible for hardware audio management), and is written to disk as ChromeUpdater. Persistence is established via launchctl — macOS's built-in service management framework — ensuring AUDIOFIX survives reboots without further user interaction. All command-and-control (C2) communications are encrypted with AES-256-CBC (a symmetric block cipher widely used for secure communications) and fall back to alternate infrastructure if the primary C2 goes offline.
A second malware family, MINIRAT, is a lightweight Go-based macOS backdoor delivered via a trojanized (a backdoored copy of an otherwise legitimate software package) npm package: @velora-dex/sdk version 4.9.1, published to the npm registry on April 7, 2026. MINIRAT supports file upload and download, arbitrary shell command execution, and system reconnaissance. Early variants used Dropbox for data exfiltration. Critically, the corresponding GitHub source code repository was never modified — JINX-0164 obtained only the npm publish credentials, not git repository access. Any source code integrity check would have found nothing wrong. The only way to detect the compromise was to compare the published npm artifact byte-for-byte against the git-tagged source.
Once AUDIOFIX is running, JINX-0164 pivots to CI/CD (Continuous Integration/Continuous Deployment — the automated pipeline that builds, tests, and deploys software) compromise using the open-source penetration testing tool nord-stream. This tool extracts GitHub Actions Secrets — the API keys, code-signing certificates, cloud credentials, and deployment tokens stored inside a repository's automated build pipeline. With those secrets in hand, the attacker can inject malicious code into every software release the compromised organization ships downstream.
JINX-0164 has also been observed pushing spoofed commits directly to victim repositories using two techniques: altering the committer identity field to impersonate legitimate developers, and pushing directly to unprotected branches. GitHub Vigilant Mode marks such commits as "Unverified" because the signing key does not match the impersonated developer — this is currently the most reliable real-time detection signal for this specific technique.
// 02 Exploitation Status and Threat Landscape
JINX-0164 is actively targeting cryptocurrency firms right now. There are no CVEs (Common Vulnerabilities and Exposures — standardized identifiers assigned to known software vulnerabilities) associated with this campaign. Every step relies entirely on social engineering (manipulating people rather than exploiting software bugs), which means perimeter-level patch management has no effect.
Wiz notes tactical overlaps with BlueNoroff (a financially motivated sub-cluster of North Korea's Lazarus Group, responsible for multiple high-value crypto heists) and UNC1069 (also tracked as Sapphire Sleet — a DPRK-affiliated group specializing in cryptocurrency theft via fake job lures). DPRK (Democratic People's Republic of Korea — North Korea) state actors have used crypto theft to fund weapons programs under international sanctions. However, JINX-0164's infrastructure shares no confirmed technical overlaps with other publicly tracked DPRK clusters, and Wiz has not formally attributed the campaign. Attribution remains unconfirmed.
The only publicly named victim is BitGet, a cryptocurrency trading platform, referenced in a February 2026 community incident report. The @velora-dex/sdk npm package compromise additionally affected developers in the VeloraDEX ecosystem. Total victim count has not been published.
// 03 Who Is Affected
JINX-0164 targets technical staff at:
- Cryptocurrency exchanges, DeFi (Decentralized Finance — blockchain-based financial services that operate without traditional intermediaries like banks) platforms, and NFT marketplaces
- Blockchain engineering and DevOps teams managing cloud infrastructure or signing keys
- macOS-using software developers with access to GitHub tokens, AWS credentials, or GCP service accounts
The campaign is geographically unrestricted. JINX-0164 uses commercial VPN services (Astrill, ExpressVPN, and Mullvad) to obscure attacker origin. Any crypto developer receiving unsolicited LinkedIn job offers is a potential target.
// 04 What You Should Do Right Now
- Treat any in-call download request as a red flag. If any recruiter meeting requires you to download an audio driver, video codec, or screen-sharing fix, refuse and end the call. Legitimate platforms do not require manual driver installation during an interview.
- Audit macOS launch services now. Open Terminal and run:
- Enable GitHub Vigilant Mode immediately. In GitHub Settings → SSH and GPG keys, enable "Flag unsigned commits as unverified." JINX-0164's spoofed commits will display an "Unverified" badge, giving you an early warning signal before further damage occurs.
- Rotate CI/CD secrets if any developer endpoint may be compromised. Assume GitHub Actions Secrets, AWS IAM credentials, and GCP service account keys accessible from any potentially infected machine are compromised. Rotate all of them now, and audit recent CI/CD pipeline runs for unexpected changes.
- Block JINX-0164 IOCs at DNS/firewall. Key malicious infrastructure to block:
apple[.]driver-store[.]com,datahub[.]ink,cloud-sync[.]online,byte-io[.]us,teamicrosoft[.]com,bitget-meeting[.]com,us03-slack[.]online. C2 IPs:185[.]100[.]85[.]250,84[.]32[.]83[.]250,153[.]92[.]126[.]84. - Compare npm releases against source commits. For any npm package your organization publishes, verify every version on the npm registry corresponds to a tagged and GPG-signed commit in your source repository. A version gap is a supply chain compromise indicator.
“bash launchctl list | grep -iv apple | grep -iv com.apple ` Flag any unfamiliar entries — especially anything named ChromeUpdater or any entry claiming to be coreaudiod` from a non-Apple path.
// 05 Background: Understanding the Risk
The attack surface JINX-0164 exploits sits at the intersection of human trust and automated software delivery — arguably the most dangerous combination in modern software security.
What is a CI/CD supply chain attack? A CI/CD pipeline is the automated system that builds, tests, signs, and deploys software. These systems routinely hold the most sensitive credentials an engineering organization owns: code-signing certificates that determine what software end users will trust and install, cloud infrastructure keys that grant write access to production databases and storage buckets, and API tokens that can publish packages directly to public registries like npm, PyPI, or RubyGems. When an attacker compromises one developer endpoint and extracts CI/CD secrets, they can inject malicious code into every release that organization ships downstream — turning trusted software into a delivery vehicle for further malware at scale.
This is not a theoretical risk. The 2020 SolarWinds attack compromised approximately 18,000 organizations by injecting a backdoor into a software update pipeline. The 2022 Axie Infinity Ronin bridge hack ($625M stolen) has been attributed to Lazarus Group using a similar approach: compromise developer credentials, access signing infrastructure, drain assets. The 2023 3CX supply chain attack followed the same pattern, distributing DPRK-linked malware to millions of 3CX users via a trojanized software update. JINX-0164 is operating from the same playbook, refined for macOS and the crypto sector.
Why macOS? macOS now dominates developer workstations in fintech and crypto organizations. Enterprise endpoint detection and response (EDR — software that monitors and responds to threats on individual machines) tooling has historically been optimized for Windows. Many macOS endpoints in crypto firms run without equivalent EDR coverage — a gap that North Korea-linked groups have explicitly exploited since at least 2021, when BlueNoroff began systematically targeting macOS with bespoke malware after finding Windows-only tooling increasingly detected.
Why fake recruiters? Blockchain and crypto developers are among the most actively recruited professionals in technology. Receiving LinkedIn messages from headhunters is normalized behavior. JINX-0164 exploits that normalization: the attack is deliberately designed to be indistinguishable from a legitimate interview process right up until the moment the victim runs the dropper script.
// 06 Conclusion
JINX-0164 represents a sophisticated, financially motivated threat that targets cryptocurrency developers at the intersection of human trust and CI/CD infrastructure access. Crypto organizations should enable GitHub Vigilant Mode as an immediate defensive measure, enforce a policy of zero tolerance for in-call downloads, and audit all CI/CD secrets under the assumption that any potentially compromised developer endpoint has already led to credential theft. The absence of exploitable vulnerabilities means this campaign cannot be patched away — awareness and process controls are the only effective defenses.
For any query contact us at contact@cipherssecurity.com