A new threat actor tracked as JINX-0164 has been running calculated attacks against cryptocurrency organizations, using LinkedIn profiles to lure developers into downloading custom macOS malware.
Active since at least mid-2025, the group has combined social engineering, credential theft, and supply chain sabotage into a seamless operation that puts the entire software development pipeline at risk.
The attacks begin with a convincingly crafted LinkedIn profile reaching out to targets under the guise of a business opportunity or a job offer.
Once trust is established, victims receive a meeting invitation linked to a fake conferencing platform page designed to look like Microsoft Teams or similar services.
Clicking the link triggers the download of a macOS-specific remote access tool that silently begins stealing sensitive data from the moment it runs.
Researchers at Wiz.io identified and named the threat cluster JINX-0164 after investigating multiple intrusions targeting cryptocurrency companies.
Wiz CIRT and Wiz Research said in a report shared with Cyber Security News that this actor is financially motivated and has been deploying two distinct malware families, AUDIOFIX and MINIRAT, with a clear focus on macOS devices.
AUDIOFIX is a compiled Python-based infostealer and backdoor that harvests browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and even clipboard data in real time.
It communicates with its command-and-control server over encrypted HTTPS, using AES-256-CBC encryption, and can quietly switch to randomized polling intervals to avoid detection.
The malware also targets active sessions on communication platforms like Discord, Slack, and Telegram, giving attackers a wide view into a victim’s digital life.
The threat actor masked their network activity by routing connections through commercial VPN services, making attribution harder.
To further cover their tracks, they tampered with Git commit metadata to impersonate legitimate developers and pushed malicious code directly into internal repositories, turning the organization’s own development infrastructure into a delivery mechanism for further infections.
JINX-0164 Threat Actor Using LinkedIn Social Engineering
The attack chain unfolded over a two-week period in one documented case, moving from a LinkedIn message to full infrastructure compromise.
Once a developer clicked the fake meeting link, AUDIOFIX was downloaded via a bash dropper script hosted on a fake driver update domain.
The payload disguised itself as a system audio component named coreaudiod and was saved as ChromeUpdater, launched through launchctl to establish persistence.
After gaining a foothold, the malware harvested credentials from macOS Keychain, browsers, and cloud configuration files, including AWS, GCP, and Azure keys, as well as Cloudflare API tokens.
GitHub tokens were then used to exfiltrate secrets from CI/CD pipelines using an open-source tool called nord-stream. The attacker pushed infected code into shared repositories, which then spread AUDIOFIX to every developer who pulled and built from those branches.
Supply Chain Attack via Trojanized npm Package
On April 7, 2026, JINX-0164 escalated by targeting the broader software supply chain. The group quietly modified version 4.9.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK, appending code that would download and execute a shell script whenever the package was imported by any project.
That shell script delivered MINIRAT, a lightweight Go-based backdoor that registers infected machines with the same command-and-control infrastructure used by AUDIOFIX.
Although MINIRAT does not perform the same broad automated data theft, it provides operators with persistent remote access and the ability to execute commands and move files.
Only npm credentials were compromised in this incident, as the source code on GitHub remained unmodified.
Organizations are advised to deploy an Endpoint Detection and Response solution and enable audit logging across all cloud platforms and version control systems by default.
Security teams should watch for unverified commits in GitHub, unexpected VPN usage from providers like ExpressVPN, Astrill VPN, and Mullvad VPN, and any anomalous workflow activity in CI/CD pipelines.
Enabling GitHub Vigilant Mode can help surface developer impersonation attempts through unsigned or mismatched commits. Teams should also monitor for the use of nord-stream and flag any new code package publications originating from unfamiliar IP addresses.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 | MINIRAT ARM64 |
| SHA-256 | 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba10875f5 | MINIRAT x86_64 |
| SHA-256 | a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf7d | MINIRAT ARM64 (variant) |
| SHA-256 | 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c7a8b4 | AUDIOFIX HTTPS/ARM64 |
| SHA-256 | 0b1a36a31b952341a534fe24890f1ed2921ee259773cff46e4f6273b8c4d5e3a | AUDIOFIX HTTPS/x86_64 |
| SHA-256 | e8ee6f5145c9d503c5130bfc6585567f6e19d409158c3c0ca0b259f1875b1a2f | AUDIOFIX Dropbox/ARM64 |
| SHA-256 | 3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c7d4e1 | AUDIOFIX Dropbox/x86_64 |
| SHA-256 | 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a | Dropper – Fake audio fix (apple.driver-store.com) |
| SHA-256 | 402625ec79e3573a80b6de9b33fc1e503e3c7803603cd958ddd515fb0e4a3c91 | Dropper – Fake audio fix (apple.driver-update.io) |
| SHA-256 | b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb4f2d89 | Dropper – Fake audio fix (driver-updater.net) |
| SHA-256 | d4e863f9818bfb2f1dd932df6441dff204e6142c3bdb55b298cb08dc7b6a9f12 | Dropper – Fake Chrome update (apple.driver-store.com) |
| SHA-256 | c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a0b3 | Dropper – Supply chain (89.36.224.5) |
| SHA-256 | 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb339f4d5c | Dropper – Supply chain (89.36.224.5, variant) |
| Domain | datahub[.]ink | Primary C2 domain (resolves to 208.115.220.17 / 185.175.59.85) |
| Domain | cloud-sync[.]online | Backup C2 domain |
| Domain | byte-io[.]us | Backup C2 domain |
| Domain | apple[.]driver-store[.]com | Payload delivery domain |
| Domain | apple[.]driver-update[.]io | Payload delivery domain |
| Domain | driver-updater[.]net | Payload delivery domain |
| Domain | driver-hub[.]net | Payload delivery domain |
| Domain | drvstore[.]com | Payload delivery domain |
| Domain | bitget-meeting[.]com | Meeting spoofing domain |
| Domain | teamicrosoft[.]com | Meeting spoofing domain (Teams impersonation) |
| Domain | teams[.]cam | Meeting spoofing domain |
| Domain | live[.]us[.]org | Meeting spoofing domain |
| Domain | us03-slack[.]online | Meeting spoofing domain (Slack impersonation) |
| Domain | live[.]ong | Meeting spoofing domain |
| IP Address | 89[.]36[.]224[.]5 | Payload delivery server |
| IP Address | 185[.]100[.]85[.]250 | Meeting spoofing infrastructure |
| IP Address | 84[.]32[.]83[.]250 | Meeting spoofing / payload delivery infrastructure |
| IP Address | 153[.]92[.]126[.]84 | Meeting spoofing infrastructure |
| IP Address | 45[.]45[.]217[.]242 | Meeting spoofing infrastructure |
| IP Address | 163[.]172[.]53[.]20 | Meeting spoofing / payload delivery infrastructure |
| IP Address | 208[.]115[.]220[.]17 | C2 server (datahub.ink) |
| IP Address | 185[.]175[.]59[.]85 | C2 server (datahub.ink) |
| File Path | ~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist | Persistence mechanism (Python RAT) |
| File Path | ~/Library/LaunchAgents/io.aircall.workspace.helper.plist | Persistence mechanism (Python RAT) |
| File Path | ~/Library/LaunchAgents/com.apple.Terminal.profiler.plist | Persistence mechanism (MINIRAT) |
| File Path | ~/.zsh_cache | XOR-encoded stolen macOS password |
| File Path | /helper.log | Malware activity log |
| File Path | /tokens.txt | Exfiltrated Discord tokens |
| File Path | /clip | Clipboard capture log |
| File Name | ChromeUpdater | AUDIOFIX payload saved under this name |
| File Name | coreaudiod | Payload masquerading as system audio driver |
| npm Package | @velora-dex/sdk v4.9.1 | Trojanized npm package used in supply chain attack |
| AES Key | v59l2uwlow9s1ebuscgfg9k9r4voxkbs | Shared AES key found in both AUDIOFIX and MINIRAT samples |
| Git Committer | nord-stream / nord-stream@localhost.com | Developer impersonation indicators in malicious commits |
| Branch Name | dev_remote_ea5Eu/test/v1 | Branch used by nord-stream during secret exfiltration |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
