JINX-0164 macOS Malware Targets Crypto Developers and CI/CD Pipelines

In the rapidly shifting landscape of software supply chain security, a newly uncovered threat campaign has shattered the myth of Apple ecosystem invulnerability. The group behind this operation, tracked as JINX-0164, has engineered a multi-stage campaign targeting cryptocurrency firms with custom macOS malware designed to pivot from developer laptops straight into core automated infrastructure. First reported by the Wiz Customer Incident Response Team (CIRT), the campaign represents a terrifying evolution in financial cyber-espionage: a highly calculated sequence that turns developer trust, targeted social engineering, and continuous integration pipeline mechanics against their owners.

For years, cryptocurrency organizations and decentralized finance (DeFi) platforms have prioritized cloud infrastructure and blockchain smart-contract auditing. However, JINX-0164 exploits a different, softer target—the workstations of the developers themselves. Operating since at least mid-2025, this financially motivated threat actor leverages polished LinkedIn profiles, masquerades as recruiters or business partners, and bypasses local operating system protections to establish a permanent foothold. From there, the real damage begins, as the attackers systematically poison repositories and turn internal software supply chains into self-propagating malware delivery systems.

The LinkedIn Trap: How JINX-0164 Hooks Crypto Developers

The initial entry point of a JINX-0164 intrusion bypasses automated firewalls and perimeter defenses entirely, focusing on the human element through meticulously crafted spear-phishing and social engineering. Attackers curate highly convincing and polished LinkedIn profiles, posing as technical recruiters from reputable investment firms, cryptocurrency exchanges, or technology providers. They identify high-value targets within the organization—principally blockchain developers, DevOps engineers, and system administrators—and initiate contact with enticing offers of virtual business collaborations, advisory roles, or lucrative employment opportunities.

Once initial rapport is built and a developer’s guard is lowered, the attacker schedules a virtual meeting. Rather than sending a link to a mainstream videoconferencing platform, the target is directed to a malicious lookalike domain. These domains are designed to replicate standard teleconferencing landing pages but utilize typosquatted names such as:

• teamicrosoft[.]com (impersonating Microsoft Teams)
• bitget-meeting[.]com (impersonating the crypto trading platform)
• us03-slack[.]online (impersonating Slack)

When the victim attempts to join the call, the fake platform simulates a technical failure, displaying a customized popup indicating an audio driver mismatch or a local hardware configuration error. The victim is immediately prompted to run an automated “system audio fix” to join the meeting. The sense of urgency created by the upcoming interview or business meeting frequently drives targets to authorize the download, which delivers a bash dropper script hosted on the attacker-controlled server apple.driver-store[.]com.

Deconstructing AUDIOFIX: A Sophisticated Strain of macOS Malware

The bash script downloaded during the fake meeting behaves as an architecture-aware downloader. It queries the host hardware via shell commands to determine if the victim is running an Intel (x86_64) processor or Apple Silicon (ARM64) architecture. Based on this discovery, it fetches a compiled Python-based macOS infostealer and Remote Access Trojan (RAT) called AUDIOFIX (also tracked as AUDIODFX).

To avoid raising suspicion within system monitoring logs, AUDIOFIX masquerades as the legitimate macOS Core Audio daemon, coreaudiod, which handles all sound card inputs and outputs on the operating system. The binary is written to the disk as ChromeUpdater and persistent execution is established using macOS’s native service management architecture, launchctl, injecting a property list (.plist) file under the user’s launch agents.

Once AUDIOFIX is loaded into memory, its primary objective is rapid, comprehensive credential harvesting. The malware is pre-configured to systematically extract the following local data structures:

• iCloud Keychain Contents: Extracts stored cryptographic keys, application passwords, and secure notes.
• Browser Credentials: Targets over 10 distinct web browsers, querying local SQLite3 databases (such as Chrome’s Login Data file) to exfiltrate plaintext usernames and passwords.
• SSH Keys and Git Credentials: Scans the default ~/.ssh/ directory, harvesting private keys and configuration files that grant write access to external codebases.
• Cloud Provider API Tokens: Scans system environment variables, local configuration files, and IDE history to extract high-value access keys for Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Cloudflare.
• Cryptocurrency Wallet Extensions: Identifies and systematically extracts private keys, recovery seed phrases, and session data from 51 different browser-based cryptocurrency wallet extensions.

Beyond this initial data dump, AUDIOFIX actively monitors the system clipboard. If a user copies an alphanumeric string resembling a cryptocurrency wallet address, the malware utilizes dynamic memory manipulation to hijack the clipboard, replacing the intended recipient’s address with one controlled by the threat group. Furthermore, AUDIOFIX hijacks ongoing session tokens for communication platforms like Slack, Discord, and Telegram, allowing the attackers to spy on internal corporate messaging, mimic the user, and orchestrate further lateral moves. To transmit this massive volume of stolen data, the malware establishes an HTTPS-encrypted tunnel back to the Command and Control (C2) server (primarily communicating with the domain datahub.ink), using AES-256-CBC encryption and randomized polling intervals to defeat standard network anomaly detectors.

MINIRAT: The Memory-Only Go-Based Backdoor

While AUDIOFIX functions as a primary harvester and persistent entry point, JINX-0164 deploys a secondary payload known as MINIRAT to maintain deep, resilient shell access. Unlike AUDIOFIX, which is built on Python, MINIRAT is a highly optimized, lightweight backdoor written in the Go programming language.

MINIRAT has been designed to operate as a fileless backdoor, executing directly within system memory space to avoid detection by traditional signature-based Endpoint Detection and Response (EDR) agents. Once initialized, MINIRAT establishes a secondary HTTPS polling loop with JINX-0164’s infrastructure, enabling the operators to execute arbitrary system-level commands, transfer files to and from the compromised endpoint, and perform live network reconnaissance on the organization’s internal subnet.

In April 2026, JINX-0164 expanded the deployment of MINIRAT by targeting the broader open-source ecosystem. The group orchestrated a supply chain attack by trojanizing version 4.9.1 of the npm package @velora-dex/sdk—a widely utilized decentralized exchange (DEX) software development kit. The attackers appended a malicious post-installation script to the package, which automatically downloaded and executed MINIRAT on any developer workstation or automated build node that pulled down the package, illustrating JINX-0164’s capability to orchestrate multi-faceted distribution models.

From Endpoint to Pipeline: The CI/CD Supply Chain Hijack

What elevates JINX-0164 above typical cyber-theft groups is their tactical decision to avoid immediate cloud account takeovers or instant wallet drains, which would trigger immediate security alerts. Instead, they focus on exploiting the organization’s software development pipeline. Once AUDIOFIX exfiltrates a developer’s GitHub Personal Access Tokens (PATs) or GitLab credentials, JINX-0164 leverages the compromised developer’s local identity to pivot into the organization’s internal Continuous Integration and Continuous Deployment (CI/CD) environments.

Using the open-source penetration testing tool nord-stream—an automation utility developed by Synacktiv to audit CI/CD pipeline vulnerabilities—the attackers enumerate internal development repositories. The nord-stream tool allows the threat actors to systematically extract sensitive environment secrets, such as production AWS roles, code-signing certificates, container registry credentials, and deployment tokens.

Armed with these pipeline credentials, JINX-0164 executes a classic “poison-the-well” supply chain compromise. They modify internal build configurations, injecting the AUDIOFIX bash dropper directly into the building workflow of the company’s proprietary applications. To bypass branch protection rules and peer reviews, they utilize Git metadata manipulation. By spoofing the commit identities—changing the author name and email in the Git log to match other senior developers in the organization—they push the malicious commits straight to active development branches (such as dev_remote_ea5Eu/test/v1). The next time another developer pulls the latest commits or initiates a local build, their system executes the malicious payload, establishing an internal, self-propagating chain of infection that spreads laterally across the engineering department without generating external network flags.

Evasion Tactics and Infrastructure Stealth

To mask their command-and-control communication and maintain an aura of legitimacy, JINX-0164 employs rigorous operational security. The group completely avoids using fixed, static IP addresses for their C2 nodes. Instead, they route their outgoing traffic through commercial Virtual Private Network (VPN) services, specifically favoring:

• Astrill VPN
• Mullvad VPN
• ExpressVPN

Additionally, they lease extensive networks of residential proxies, allowing their C2 traffic to blend in with standard consumer broadband connections from regions geographically adjacent to their targets. This makes geographic blocking ineffective and hinders automated threat-hunting efforts that flag data exfiltration to unrecognized IP ranges. Analysts have noted that while JINX-0164 shares behavioral traits, lures, and targeting footprints with prominent North Korean state-sponsored threat groups like Sapphire Sleet (UNC1069) and BlueNoroff, there is currently no technical or infrastructure overlap with established DPRK clusters. JINX-0164 remains categorized as an independent, highly specialized, and financially motivated threat actor.

Architecting a Modern Defense Against Pipeline Hijacking

Because the initial compromise is driven by high-credibility social engineering, relying solely on user awareness training is insufficient. Organizations—specifically those within the blockchain, Web3, and cryptocurrency spaces—must enforce robust, multi-layered technical controls to sever the JINX-0164 attack chain:

1. Block Unsigned Binary Execution on macOS: Enforce strict Apple Gatekeeper and Mobile Device Management (MDM) configurations that completely block the execution of unsigned or unnotarized binaries, preventing developers from manually running system “fixes” and audio drivers downloaded from third-party sites.
2. Harden Git and Branch Controls: Implement mandatory branch protection policies on all repositories. Require signed commits via GPG keys to prevent the commit spoofing utilized by JINX-0164 to impersonate legitimate team members. Enforce a dual-approver peer review workflow for all merges into main or release branches, ensuring a single compromised token cannot poison the codebase.
3. Implement Fine-Grained Developer Tokens: Migrate away from classic, broad GitHub Personal Access Tokens (PATs). Enforce fine-grained tokens restricted to specific repositories with read-only access where write-access is unnecessary, and strictly limit the lifetime of active secrets.
4. Audit Security Framework Calls: Configure EDR systems to actively monitor and alert on non-browser applications attempting to read the macOS Keychain or query the local SQLite databases of web browsers. Anomalous programmatic access to ~/Library/LaunchAgents/ or system-level processes mimicking the Core Audio daemon (coreaudiod) should trigger immediate host isolation.
5. Deploy Real-Time Secrets Scanning: Continuously monitor and audit CI/CD pipeline build logs for indicators of secret scanning tools like nord-stream. Deploy automated detectors that look for unexpected additions of outbound webhooks or modification of workflow YAML files.

Ultimately, the threat posed by JINX-0164 shows that the target is no longer the production cloud server; it is the developer’s laptop, which serves as the ultimate gateway to the entire automated build process. By treating developer workstations and CI/CD pipelines as highly sensitive, zero-trust infrastructure, security teams can neutralize these sophisticated operations before they lead to catastrophic compromise.