JINX-0164: The Orchestrated Targeting of Crypto-Development Pipelines
A sophisticated new threat actor, identified as JINX-0164, has emerged with a specialized focus on infiltrating cryptocurrency organizations. Unlike broad-spectrum cybercrime groups, this actor employs highly targeted social engineering via LinkedIn to bypass traditional perimeter defenses and strike directly at the heart of the software development lifecycle (SDLC).
Since mid-2025, JINX-0164 has demonstrated a high level of operational maturity. Their toolkit is not limited to generic malware; rather, it includes custom macOS payloads designed for cross-architecture compatibility, advanced credential harvesting, and the strategic abuse of CI/CD pipelines to facilitate lateral movement and asset exfiltration.
The Social Engineering Vector: High-Fidelity Impersonation
The campaign begins with a precision-engineered social engineering phase. Attackers utilize LinkedIn profiles that exhibit high degrees of credibility, featuring realistic professional histories and established networks. This makes distinguishing an adversary from a legitimate recruiter or business partner exceptionally difficult for even seasoned developers.
The attack chain typically follows this progression:
- Initial Contact: A fraudulent meeting invitation is sent via LinkedIn messaging.
- Domain Spoofing: Victims are redirected to malicious domains designed to mimic legitimate collaboration tools like Microsoft Teams.
- Payload Delivery: The spoofed site prompts the user to download a “meeting client” or a “troubleshooting patch” to resolve supposed technical issues.
In one notable instance, the payload was delivered through a bash script hosted on a domain impersonating an official Apple driver portal, adding a layer of perceived legitimacy to the infection process.

Technical Analysis: AUDIOFIX and MINIRAT
Once the initial foothold is established, the actor deploys specialized malware. The primary payload, AUDIOFIX, is an architecture-aware binary compatible with both Intel and Apple Silicon (M-series) chips. It achieves persistence by masquerading as the legitimate coreaudiod system process and utilizing launchctl for execution.
AUDIOFIX functions as a dual-threat agent: an Infostealer and a Remote Access Trojan (RAT). It targets high-value assets including:
- macOS Keychain credentials and browser-stored passwords.
- SSH keys and cloud provider tokens (AWS, Azure, GCP).
- Cryptocurrency wallet private keys and active session tokens for Slack, Discord, and Telegram.
According to research by Wiz, the group leverages these stolen tokens to move from the endpoint into the cloud infrastructure. By using specialized tools like nord-stream, they can extract secrets directly from GitHub Actions and other CI/CD environments.
Supply Chain Compromise
JINX-0164 has also demonstrated significant supply chain capabilities. In April 2026, they successfully compromised the @velora-dex/sdk npm package (version 4.9.1). This compromise involved injecting a malicious script that acted as a dropper for a secondary, lightweight Go-based backdoor known as MINIRAT. While AUDIOFIX focuses on deep system exploitation, MINIRAT is optimized for lightweight reconnaissance and command execution.

Strategic Intent: Infiltrating the Codebase
Perhaps the most dangerous aspect of JINX-0164 is their ability to turn a developer’s workstation into an internal infection vector. Rather than just stealing data, they attempt to poison the well. By gaining access to internal repositories, they use stealthy Git techniques—such as altering commit metadata or hijacking existing branches—to inject malicious code directly into the main branch.
As other developers pull these updates, the malware propagates throughout the organization’s infrastructure, effectively turning trusted source code into a distribution mechanism for the adversary.
Indicators of Compromise (IOCs)
Organizations are advised to monitor for the following hashes within their EDR and SIEM environments. Note: IP addresses and domains are defanged to prevent accidental execution.
| Malware Family | Architecture / Infrastructure | SHA-256 Hash |
|---|---|---|
| MINIRAT | ARM64 | 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 |
| MINIRAT | x86_64 | 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d |
| AUDIOFIX | HTTPS / ARM64 | 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 |
| AUDIOFIX | Dropbox / x86_64 | 3e3901519c2305fbe9d5483b7234c25c6d2b562512916481d96f26b849c39fdb |
| Dropper | Fake audio fix (apple.driver-store[.]com) | 9c2ce925133a3bf5a924063bbef8df49918d5b7258695c1894cd18c75970157a |
| Dropper | Supply Chain (89.36.224[.]5) | c6ef82d2864dfd26f117a1ef560279153423f2742970a7949cec72722f0a01e |
Disclaimer: Re-fang these indicators only within controlled threat intelligence environments such as MISP or VirusTotal.