In the ever-evolving landscape of cybersecurity, a newly identified threat actor known as JINX-0164 has emerged as a significant concern for cryptocurrency organizations. This group has reportedly been active since at least mid-2025, strategically targeting these organizations through intricate social engineering campaigns on LinkedIn.
Motivated primarily by financial gain, JINX-0164 employs sophisticated tactics such as custom macOS malware, credential theft, and the abuse of Continuous Integration and Continuous Delivery (CI/CD) pipelines. These methodologies aim to infiltrate development environments and extract sensitive assets from their targets.
JINX-0164’s approach to social engineering is particularly noteworthy. The profiles used in these campaigns appear incredibly credible, often showcasing realistic employment histories and professional connections that make distinguishing them from legitimate users nearly impossible. In some cases, the group either hijacked existing accounts or created profiles specifically for the malicious agenda, often deleting them after executing their attacks.
The typical attack chain initiates with a deceptive meeting invitation dispatched through LinkedIn messages, steering potential victims towards malicious domains masquerading as legitimate platforms, such as Microsoft Teams. When victims access these sites, they are prompted to download what is purported to be a meeting client or a troubleshooting tool. This seemingly innocuous action results in the installation of a malicious payload on macOS systems.
One prominent example is the malware referred to as AUDIOFIX, which was disseminated via a bash script hosted on a domain designed to imitate an Apple driver portal. This script delivers a sophisticated payload that is architecture-aware, functioning seamlessly on both Intel and Apple Silicon devices. Upon execution, the malware masquerades as a legitimate system process named coreaudiod and installs itself via launchctl, thereby establishing persistence on the infected machine.
AUDIOFIX is versatile in its functionalities, serving as both an infostealer and a remote access Trojan. It actively collects extensive data from compromised endpoints, targeting macOS Keychain credentials, browser passwords, SSH keys, cloud tokens, and even sensitive cryptocurrency wallet information. Furthermore, it exploits active sessions from popular applications like Slack, Discord, and Telegram, thereby amplifying the attackers’ reach within targeted organizations.
According to researchers from Wiz, who shared these findings with GBhackers, multiple instances of intrusion have been documented, where attackers posed as recruiters or business partners on LinkedIn, effectively luring developers into their traps. Notably, the malware is adept at targeting cloud infrastructure secrets, such as AWS, Azure, and Google Cloud Platform (GCP) credentials, along with GitHub tokens. This information is then leveraged to extract sensitive data directly from CI/CD pipelines using tools like nord-stream, thereby allowing attackers to access GitHub Actions secrets and other crucial development assets.
Moving beyond mere exploitation of cloud resources, JINX-0164 focuses on compromising software development workflows. Upon gaining access to a developer’s machine, the perpetrators inject malicious code into internal repositories, thereby facilitating the spread of infection. The group employs stealthy Git techniques to evade detection, including impersonating developers by modifying commit metadata, directly pushing harmful code to main branches, or hijacking existing branches. As other developers pull and build from these repositories, the infection proliferates within the organization’s development infrastructure.
Such techniques convert trusted codebases into vectors for further infection, significantly enhancing the potential for widespread compromise. There have been instances where the attackers attempted to modify the source code to facilitate further credential theft, specifically targeting cryptocurrency wallets.
Additionally, JINX-0164 has showcased its capacity for supply chain attacks. In April 2026, they compromised version 4.9.1 of the npm package @velora-dex/sdk by embedding a malicious script that subsequently downloaded a secondary backdoor known as MINIRAT. Unlike AUDIOFIX, which serves multiple purposes, MINIRAT functions as a lightweight, Go-based backdoor focusing on command execution and system reconnaissance.
Both malware families communicate with command-and-control servers over HTTPS and share an intricate web of infrastructure, including domains such as datahub.ink. The attackers have also employed VPN services like Mullvad, Astrill, and ExpressVPN to obscure their activities.
Interestingly, while certain tactics employed by JINX-0164 may resemble those of known North Korean threat groups, researchers have not found direct overlaps in infrastructure. This indicates that JINX-0164 may be a distinct entity, skillfully leveraging strategies that heavily target developers and cryptocurrency platforms to maximize financial rewards while exploiting the inherent trust within software supply chains.
In summary, the emergence of JINX-0164 poses a considerable threat to the cybersecurity realm, particularly for organizations engaged in cryptocurrency. Their sophisticated methods and ability to compromise development workflows highlight the need for vigilance and enhanced security measures within the industry to mitigate such risks effectively.