JINX-0164: Inside the Sophisticated macOS Malware Campaign Targeting Crypto Developers Through Fake Job Recruiters

A previously undocumented threat actor tracked as JINX-0164 has been targeting cryptocurrency organizations through sophisticated recruitment-themed social engineering campaigns, deploying custom macOS malware capable of stealing wallet credentials, hijacking developer sessions, and poisoning internal code repositories, according to a detailed technical analysis published by Wiz, the Google-owned cloud security company. The campaign, active since at least mid-2025, represents a significant escalation in how threat actors weaponize trusted professional networks to compromise cryptocurrency infrastructure at the source.

By Elena Kowalski | May 28, 2026

The Exploit Mechanics

The attack chain documented by Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read unfolds with deceptive simplicity: a credible LinkedIn profile contacts a cryptocurrency organization employee, proposes a virtual meeting, and steers the target to a malicious domain impersonating a legitimate teleconference platform such as Microsoft Teams. When the victim clicks the meeting link and downloads what appears to be a conferencing client, they instead trigger a Python-based macOS infostealer and remote access trojan codenamed AUDIOFIX.

The initial infection leverages a bash script hosted on a fraudulent domain designed to mimic an Apple driver repository — apple.driver-store[.]com. This script downloads an architecture-aware payload compatible with both Intel and Apple Silicon systems, disguising itself as a system audio driver named coreaudiod while persisting on disk under the innocuous filename ChromeUpdater. The malware executes via macOS launchctl, ensuring it runs automatically on system boot.

Once embedded in the target system, AUDIOFIX establishes command-and-control communications over HTTPS, blending its network traffic with legitimate encrypted web connections. The malware employs a password phishing capability that stores XOR-encoded passwords in a hidden file at ~/.zsh_cache, granting the attackers access to encrypted credentials without triggering standard security alerts.

A second tool in the JINX-0164 arsenal, codenamed MiniRAT, is a Go-based backdoor that was previously distributed through a compromised version of a legitimate npm package called @velora-dex/sdk — a real DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange. According to research by SafeDep and StepSecurity, the poisoned npm version downloaded a shell script from a remote server that delivered the macOS-specific MiniRAT binary, which can upload files, execute arbitrary shell commands, and fetch additional payloads from attacker-controlled infrastructure.

Affected Systems

The scope of compromised data is extensive. AUDIOFIX systematically harvests credentials from password managers, web browsers, and iCloud Keychain files. It extracts local administrator credentials, SSH keys, configuration files, and console history. Critically for the cryptocurrency sector, the malware specifically targets cryptocurrency browser extension data and wallet addresses, along with hijacking active sessions on communication platforms including Discord, Slack, and Telegram.

Beyond local credential theft, the threat actor leverages stolen GitHub tokens to exfiltrate secrets directly from CI/CD pipelines using the open-source tool nord-stream, which automates the extraction of GitHub Actions Secrets. This gives attackers access to cloud infrastructure credentials spanning AWS, GCP, Azure, and Cloudflare API tokens — effectively providing a master key to the organization’s entire development and deployment infrastructure.

Perhaps most concerning is the lateral movement technique: rather than pivoting through cloud environments in a traditional manner, JINX-0164 injects the AUDIOFIX payload directly into internal source code repositories. The threat actor employs deceptive Git tactics to evade detection, including impersonating other developers by modifying committer names and email fields, and pushing malicious commits directly to the main branch on unprotected repositories. This transforms every developer who pulls from the compromised repository into a potential secondary infection vector.

Throughout these operations, the attackers route all cloud activity through commercial VPN services — specifically Mullvad VPN, Astrill VPN, and Express VPN — making attribution through IP-based analysis significantly more difficult.

The Mitigation Strategy

Defending against a threat actor of this sophistication requires a layered security approach that addresses each phase of the attack chain. Organizations in the cryptocurrency sector should implement the following countermeasures:

• Verify external meeting invitations independently — Never click meeting links directly from LinkedIn messages. Navigate to the conferencing platform manually and enter meeting codes. Treat any unsolicited business opportunity that requires downloading software as a potential red flag.
• Enforce endpoint detection on macOS — AUDIOFIX and MiniRAT both exploit the relative lack of traditional endpoint security on developer macOS workstations. Deploy endpoint detection and response solutions that can identify anomalous launchctl persistence and unexpected network connections from伪装 system processes.
• Harden repository protections — Require signed commits, enforce branch protection rules on all repositories including internal ones, and implement mandatory code review for any changes to main branches. Monitor for committer metadata that does not match known organizational email patterns.
• Rotate CI/CD secrets regularly — Assume that any secret stored in GitHub Actions or similar pipeline systems is potentially compromised. Implement automated secret rotation and use short-lived tokens rather than long-lived credentials.
• Monitor for nord-stream usage — This open-source exfiltration tool is becoming increasingly popular among threat actors targeting developer infrastructure. Its execution against organizational GitHub repositories should trigger immediate incident response procedures.

Lessons Learned

The JINX-0164 campaign exposes a fundamental weakness in how cryptocurrency organizations approach security: while the industry focuses heavily on smart contract audits and on-chain protections, the human layer remains the most vulnerable attack surface. A convincing LinkedIn profile and a well-crafted meeting invitation were sufficient to bypass perimeter defenses and gain access to source code repositories, CI/CD pipelines, and ultimately the infrastructure that powers cryptocurrency transactions.

The attack also highlights the growing weaponization of the software supply chain. The poisoning of the @velora-dex/sdk npm package demonstrates that attackers no longer need to compromise their targets directly — they can infect a widely used developer tool and wait for victims to install it through normal development workflows. With Bitcoin trading around 73,000 dollars and the broader cryptocurrency market managing hundreds of billions in assets, the financial incentives for this type of patient, multi-stage attack will only grow stronger.

Wiz noted certain tactical similarities between JINX-0164 and well-known North Korean threat clusters such as BlueNoroff, Contagious Interview, and UNC1069, particularly in the use of fake recruiter personas and VPN-masked infrastructure. However, the researchers found no infrastructure overlaps connecting JINX-0164 to Pyongyang-backed groups at this stage, suggesting this could be an independent financially motivated actor or an as-yet-unlinked state-sponsored operation.

The two-week attack timeline documented in the case study also serves as a warning: JINX-0164 does not rush. The threat actor builds trust, methodically harvests credentials, and carefully positions its payloads before executing the final impact phase. This patience makes the campaign harder to detect through real-time monitoring alone, as each individual action appears plausible in isolation.

User Action Required

Cryptocurrency developers and organizations should take immediate steps to assess their exposure to this campaign:

• Audit macOS endpoints for unexpected launchctl entries, particularly any persistent agents referencing “ChromeUpdater” or processes masquerading as “coreaudiod” that are not located in the legitimate system framework directories.
• Review npm package integrity — Check whether any projects have installed versions of @velora-dex/sdk from the period when the compromised package was active. Verify package checksums against known-good values from the npm registry.
• Revoke and rotate credentials — Any developer who has participated in an external video call after receiving an unsolicited LinkedIn invitation should assume their credentials are compromised and rotate all passwords, SSH keys, API tokens, and CI/CD secrets immediately.
• Inspect Git history — Review recent commits to all repositories for unexpected committer names, email addresses that do not match organizational patterns, or direct-to-main commits that bypassed normal review processes.
• Block known indicators of compromise — Add the domain apple.driver-store[.]com to DNS blocklists and monitor network logs for any historical connections to this domain.

The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.

Disclaimer

The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.