A financially motivated threat actor tracked as JINX-0164 has been conducting a sophisticated, multi-stage campaign against cryptocurrency organizations, using fake LinkedIn profiles to lure developers into installing custom macOS malware. Active since at least mid-2025, the group has combined social engineering, credential theft, and supply chain sabotage into a seamless operation that Wiz.io researchers say puts entire software development pipelines at risk.
The LinkedIn Lure: How the Attack Begins
The attack chain starts with a convincingly crafted LinkedIn profile reaching out to targets — typically software developers at cryptocurrency companies — under the guise of a business opportunity or job offer. Once trust is established over days or weeks, the victim receives a meeting invitation linked to a fake conferencing platform page designed to look like Microsoft Teams, Slack, or similar services.
Clicking the link triggers the download of a macOS-specific remote access tool that begins stealing sensitive data the moment it runs. The fake meeting domains identified in the campaign include:
- bitget-meeting[.]com
- teamicrosoft[.]com (Teams impersonation)
- teams[.]cam
- us03-slack[.]online (Slack impersonation)
- live[.]us[.]org
The AUDIOFIX Infostealer: Comprehensive Credential Harvesting
The primary payload is AUDIOFIX, a compiled Python-based infostealer and backdoor. After being downloaded via a bash dropper script from a fake driver update domain, it disguises itself as a system audio component named coreaudiod, saved as ChromeUpdater, and persists via launchctl using a LaunchAgent plist mimicking legitimate Apple services.
AUDIOFIX harvests an exceptionally broad range of credentials and data:
- macOS Keychain passwords
- Browser credentials from Chrome, Firefox, and Safari
- Cryptocurrency wallet browser extensions
- SSH private keys and cloud API tokens (AWS, GCP, Azure)
- Cloudflare API tokens
- Active sessions on Discord, Slack, and Telegram
- Real-time clipboard data (for intercepting crypto wallet addresses)
Communications with the command-and-control server use AES-256-CBC encryption over HTTPS. The malware also randomizes its polling intervals to evade behavioral detection systems.
From Initial Access to Full Pipeline Compromise
In one documented case, the attack unfolded over a two-week period, moving from a LinkedIn message to full infrastructure compromise. After harvesting credentials, the attacker used stolen GitHub tokens to exfiltrate CI/CD pipeline secrets using the open-source tool nord-stream. The attacker then tampered with Git commit metadata to impersonate legitimate developers and pushed malicious code directly into internal repositories.
This turned the victim organization’s own development infrastructure into a malware delivery mechanism: every developer who pulled from those infected branches automatically received AUDIOFIX, spreading the compromise exponentially across the development team.
MINIRAT: The Go-Based Backdoor
A second malware family called MINIRAT — a lightweight Go-based backdoor — is also deployed by JINX-0164. While it lacks AUDIOFIX’s broad automated data theft capabilities, MINIRAT provides operators with persistent remote access, command execution, and file transfer capabilities. Both AUDIOFIX and MINIRAT share the same command-and-control infrastructure, and analysis revealed a shared AES encryption key (v59l2uwlow9s1ebuscgfg9k9r4voxkbs) present in both samples.
Supply Chain Attack: Trojanized npm Package
On April 7, 2026, JINX-0164 escalated its operations to target the broader software supply chain. The group silently modified version 4.9.1 of the npm package @velora-dex/sdk — a widely used cryptocurrency SDK — appending code that downloads and executes a shell script whenever the package is imported by any project. That script delivers MINIRAT to the developer’s machine, registering it with the existing C2 infrastructure. Only npm credentials were compromised in this incident; the source code on GitHub remained unmodified.
Attribution and Overlap with Lazarus Group TTPs
While Wiz.io stopped short of direct attribution to a nation-state, the JINX-0164 TTPs show strong similarities to North Korean Lazarus Group sub-clusters that have historically targeted cryptocurrency developers using LinkedIn job lures and fake meeting applications. The financial motivation, focus on cryptocurrency theft, and supply chain sabotage are all consistent with Lazarus Group’s documented operational playbook.
Indicators of Compromise
Key file-based indicators defenders should hunt for:
~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist— AUDIOFIX persistence~/Library/LaunchAgents/com.apple.Terminal.profiler.plist— MINIRAT persistence- File named
ChromeUpdaterin user home directories - npm package
@velora-dex/sdkversion 4.9.1 in any project
Recommendations
- Deploy an Endpoint Detection and Response (EDR) solution on all macOS developer machines, not just Windows endpoints.
- Enable GitHub Vigilant Mode to surface developer impersonation attempts through unsigned or mismatched commits.
- Audit all LaunchAgent and LaunchDaemon plist files for unexpected entries, especially those mimicking Apple system services.
- Monitor CI/CD pipeline logs for use of the nord-stream tool and flag any new package publications from unfamiliar IP addresses.
- Train developers to verify the identity of LinkedIn contacts before clicking meeting links, particularly when contacts are unknown or recently created.
- Implement MFA and hardware security keys for npm, GitHub, and cloud provider accounts to limit the damage from stolen tokens.