"These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said.
How JINX-0164 uses recruitment lures and fake teleconference domains
Wiz — the Google-owned cloud security company — is tracking a previously undocumented threat actor under the name JINX-0164. Active since at least mid-2025 and assessed to be financially motivated, the actor has focused on developers at cryptocurrency organizations by impersonating credible LinkedIn profiles and posing as recruiters. Targets are offered virtual meetings that direct them to a rogue domain masquerading as a teleconference provider; that interaction is the vector used to prompt a download that ultimately installs malware.
The macOS malware chain: coreaudiod, ChromeUpdater, a Python infostealer, and AUDIOFIX
In the campaign documented by Wiz, a bash script hosted on a fake driver store domain ("apple.driver-store[.]com") downloads an architecture-aware payload compatible with both Intel and Apple Silicon systems. The payload masquerades as a system audio driver named coreaudiod, is saved as ChromeUpdater, and is executed via launchctl.
That initial component triggers retrieval of a Python-based macOS infostealer and a remote access trojan codenamed AUDIOFIX. The Python malware is used to steal sensitive data from the compromised endpoint and to inject the AUDIOFIX payload into internal code distribution systems and development infrastructure. AUDIOFIX itself supports commands for manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and retrieval of additional payloads from an external server.
What data the attackers have sought and how they move laterally
Wiz reported that the campaign has captured a broad range of credentials and artifacts. Stolen items include credentials from password managers, web browsers, and iCloud Keychain files; local administrator credentials; SSH keys; configuration files; console history files; cryptocurrency browser extension information; cryptocurrency wallet addresses; and active Discord, Slack, and Telegram sessions. According to Wiz, the attacker leverages these harvested credentials to move laterally from compromised employee laptops to code distribution systems and development infrastructure, and to modify source code in attempts to compromise additional endpoints and siphon cryptocurrencies.
Supply-chain infection: MiniRAT delivered via a poisoned @velora-dex/sdk
JINX-0164’s toolset also includes MiniRAT, a Go-based backdoor that SafeDep and StepSecurity detailed last month after it was distributed via a compromised version of an npm package named @velora-dex/sdk. That package is described as a legitimate DeFi toolkit used for token swaps, limit orders, and delta trading on the VeloraDEX decentralized exchange platform. The poisoned version downloaded a shell script from a remote server which then delivered an macOS-specific binary called MiniRAT; the backdoor can upload files, run arbitrary shell commands, and fetch additional payloads or tools from attacker-controlled domains.
Operational fingerprints and the question of geopolitical links
Wiz noted that some aspects of the campaign — including VPN services like Astrill VPN and a focus on cryptocurrency and developers — are reminiscent of techniques used by a number of North Korean threat clusters. The report names BlueNoroff, Contagious Interview, and UNC1069 as groups whose methods display similarities. However, Wiz stressed that “there are no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage,” and that while certain spoofing-domain patterns resemble those used by other North Korean actors, JINX-0164’s infrastructure does not overlap with publicly tracked North Korean groups.
What this means for technologists, affected enterprises, and open-source maintainers
- Technologists and security teams: Expect targeted social-engineering that begins outside corporate perimeter controls — on LinkedIn and in calendaring invites — and escalates into deployment of architecture-aware macOS payloads saved under plausible system names (coreaudiod/ChromeUpdater) and executed via launchctl.
- Affected enterprises and development organizations: The principal risk is lateral movement from developer endpoints into code distribution and CI/CD systems; compromise of those systems can be leveraged to tamper with source code and distribution artifacts in pursuit of cryptocurrency theft.
- Open-source maintainers and package custodians: The poisoned @velora-dex/sdk incident underscores the risk that legitimate npm packages can be used as distribution channels for macOS backdoors such as MiniRAT. Maintainers and registries should note the documented pattern of a shell script installer fetching a platform-specific binary from a remote server.
JINX-0164 combines believable human targeting with tailored macOS tooling and an explicit focus on development pipelines and cryptocurrency credentials. Active since at least mid-2025 and motivated by financial gain, the actor has already used both direct social engineering and a supply-chain compromise to reach victims; whether further infrastructure links will emerge remains an open operational question. For now, Wiz’s reporting draws a clear line from a LinkedIn message to an injected AUDIOFIX payload inside development infrastructure — a path that organizations protecting code and crypto will need to break.




