.png){kind=logo}
JINX-0164 has targeted crypto developers through fake LinkedIn meeting invites that lead to macOS malware infections, according to findings published by cloud security firm Wiz on May 27, 2026. The campaign focuses on developer machines, saved credentials, cloud tokens, crypto wallets, and internal software pipelines.
Wiz said the group has carried out attacks since at least mid-2025. The attackers use professional-looking LinkedIn profiles, start business conversations, and send links to fake video meeting pages that resemble Microsoft Teams or other meeting tools.
Attackers send victims to fake meeting websites that prompt them to run what appears to be a tool needed for the call. However, the link delivers AUDIOFIX, a custom macOS malware strain designed to run on both Intel and Apple Silicon Macs.
"According to Wiz, AUDIOFIX installs silently through a script hosted on a fake Apple-themed site. It then stays active after a restart, hides as a system audio component, and contacts the attackers through HTTPS. This setup helps the malware remain on infected devices while avoiding quick detection.
Once inside a machine, AUDIOFIX collects saved passwords from the macOS Keychain, browser credentials, SSH keys, cloud access tokens, and crypto wallet data. Wiz also found that attackers directly phished for passwords and stored them in encoded files.
JINX-0164 not only steals wallet data and login details. The group also targets development systems that crypto companies use to build, test, and deploy software.
In an early 2026 case, Wiz said the attackers used stolen GitHub tokens to extract secrets from CI/CD pipelines through an open-source tool called nord-stream. They then placed AUDIOFIX inside internal repositories and used forged Git commit metadata to appear as trusted developers.
The attackers pushed malicious code to the main branches or took control of existing branches. As a result, other developers who pulled and built code from those repositories became exposed to infection.
GitHub’s Vigilant Mode flagged unverified commits in at least one case. That helped show that the commit metadata did not carry verified GPG signatures, even though the activity appeared to come from real developers.
Wiz also reported a confirmed supply chain attack linked to the group. On April 7, 2026, JINX-0164 trojanized version 4.9.1 of @velora-dex/sdk, a public npm package used by developers.
The attackers injected a base64-encoded command that fetched and ran a remote script. That script deployed MINIRAT, a lightweight Go-based backdoor used for persistence and remote command execution.
AUDIOFIX and MINIRAT share command-and-control domains, including datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. The attackers also routed activity through Mullvad VPN, Astrill VPN, and ExpressVPN to hide their real location.
Wiz noted some tactical similarities with North Korean-linked clusters UNC1069 and Sapphire Sleet. However, it said there was ‘no direct infrastructure overlap,’ and treated JINX-0164 as a separate, financially motivated actor.
Also Read: Crypto News Today: Zcash Crashes as Orchard Vulnerability Sparks Supply Integrity Fears
The campaign shows how fake meetings can create direct risks for crypto developers and software teams. In this case, attackers used social engineering, malware, stolen tokens, and poisoned repositories to reach both cash and code.
Meanwhile, related package attacks have also exposed risks across developer ecosystems. In May, hackers compromised more than 170 npm and PyPI packages, including the official Mistral AI Python library. That incident exposed GitHub tokens and cloud credentials used by crypto and AI developers.
Wiz said that the attack also included malicious packages with valid SLSA Build Level 3 provenance attestations. That raised doubts over whether building verification alone can stop attacks when trusted package workflows are already compromised.
Crypto companies are now urged to review CI/CD pipelines, check for unauthorized GitHub actions, audit commits with unverified signatures, and investigate unusual VPN activity. Developers who joined LinkedIn meetings from unknown contacts should also scan their machines and rotate exposed credentials.
