Skip to main content
Emerging ThreatsMalware & Ransomware

Jinx-0164 Targets Crypto Developers with Custom macOS Malware

Cryptocurrency developer's workspace with Mac computer, notes, and empty coffee cups.

Audiofix harvests Keychain items, browser credentials, SSH keys, cloud-provider keys and details from 51 cryptocurrency wallet extensions — and it arrives by persuading a developer to join a bogus meeting.

The LinkedIn lure and the fake meeting

Wiz says the intrusions attributed to a previously unreported cluster now tracked as Jinx-0164 typically begin on LinkedIn. The attacker creates a credible profile, poses as a business contact or recruiter and invites the target to a virtual meeting hosted on a lookalike domain impersonating a service such as Microsoft Teams. When the victim joins the call, the meeting is staged to show a fake technical fault and to prompt the user to run a "fix" that installs the malware.

Audiofix: a macOS stealer disguised as an audio driver

The payload installed by the lure is a Python-based stealer and remote access tool Wiz calls Audiofix. It masquerades as a system audio driver and runs on both Intel and Apple Silicon macOS machines. According to Wiz's analysis, Audiofix harvests sensitive credentials and keys — Keychain contents, browser credentials, SSH keys and cloud provider keys — and extracts details from 51 cryptocurrency wallet extensions. It also hijacks sessions for Discord, Slack and Telegram and monitors the clipboard for copied wallet addresses.

From harvested tokens to poisoned code pipelines

Rather than immediately pivoting into cloud accounts, Jinx-0164 leveraged harvested GitHub tokens against victims' development infrastructure. The actor used the open-source tool nord-stream to pull secrets from CI/CD pipelines, then injected Audiofix into internal repositories. Those malicious commits were disguised under other developers' names and pushed to main or existing branches; when colleagues built from the poisoned repositories, their machines were infected too, turning the build process into a propagation channel. Wiz noted GitHub's Vigilant Mode — which flags unverified commits — helped expose the impersonation and halt the spread.

The npm supply-chain trojan and MINIRAT

Jinx-0164's reach extended beyond direct intrusions. Wiz identified a trojanized release of an npm package: on April 7 the actor appended code to version 4.9.1 of the @velora-dex/sdk decentralized-exchange toolkit that fetched a second macOS backdoor called MINIRAT. The recruitment-themed lure used in the LinkedIn approach echoes earlier campaigns against crypto-focused targets, like those attributed to groups such as Slow Pisces, but Wiz stopped short of linking Jinx-0164 to any state-sponsored actor. The company also said the cluster shares techniques with North Korean groups such as UNC1069 (Sleet) while implementing them differently and showing no infrastructure overlap with tracked actors.

What this means for technologists, open-source maintainers, and enterprise security teams

  • Technologists and security teams: Watch for the published indicators of compromise and for unexpected use of VPN services flagged by Wiz — specifically Mullvad, Astrill and ExpressVPN — and investigate any secret exfiltration from CI/CD workflows.
  • Open-source maintainers and package consumers: Be alert to tampering in widely used packages; the April 7 trojanized @velora-dex/sdk release demonstrates how repository or registry compromises can deliver platform-specific backdoors such as MINIRAT.
  • Enterprise security and DevOps leaders: Treat unverified commits as suspect, enable logs that are off by default (Wiz cites GitHub IP logging) and consider controls on build and merge processes to reduce the chance that a poisoned repository can become a propagation channel.

Active since at least mid-2025 and focused almost entirely on macOS, Jinx-0164 represents a financially motivated cluster that blends social engineering, credential theft and CI/CD abuse. Wiz's recommendations — published indicators of compromise, attention to unusual VPN traffic, and enabling off-by-default logs such as GitHub IP logging — are practical next steps informed by the group's tactics. The immediate question left open by the record Wiz provides is whether more supply-chain trojanization events lie undiscovered; defenders can start by treating unverified commits as suspect and by scrutinizing any unexpected changes to build artifacts or package releases.

Original reporting: Infosecurity Magazine — New Threat Actor Jinx-0164 Targets Crypto Developers on macOS