JINX-0164: Potential macOS Malware Campaigns Targeting Crypto Developers via LinkedIn

JINX-0164, a threat actor tracked by Wiz and reportedly active since at least mid-2025, may have been conducting targeted campaigns against cryptocurrency firms. The group potentially utilizes fraudulent LinkedIn recruiter profiles to distribute custom macOS malware. Documentation published on May 28, 2026, details an attack chain that could begin with the compromise of a single developer and potentially extends to the downstream ecosystem via a manipulated npm package. The operation may blend social engineering, macOS persistence via launchctl, and an import-time execution technique.

The Mechanics of Potential Fake Recruiter Social Engineering

The initial phase of the attack could exploit trust within professional networking environments. According to Wiz researchers, JINX-0164 may "leverage credible LinkedIn profiles to approach victims and offer a virtual meeting." These profiles are reportedly crafted to appear authentic. Victims, typically developers within the crypto sector, may accept these invitations as the context appears routine.

During the virtual meeting, the attacker may simulate technical difficulties and provide a link to a supposed fix. The downloaded file may be AUDIOFIX: an architecture-aware Python payload. Wiz describes how the malware may masquerade as a system audio driver named coreaudiod, could be saved as ChromeUpdater, and may be executed via launchctl.

AUDIOFIX: Potential Persistence and Targeted Exfiltration on macOS

Once executed, AUDIOFIX may establish itself as a persistent agent using launchctl, the macOS service management framework. This choice could be strategic, as launchctl is a legitimate Apple-signed component.

The exfiltration module could be extensive and tailored to the victim's professional profile. According to the Wiz dossier, AUDIOFIX may harvest credentials from password managers, browsers, and the iCloud Keychain, alongside SSH keys, configuration files, cryptocurrency wallet extensions, and active sessions for messaging platforms. Beyond data theft, the malware could support lateral movement and additional payload injection. The identified C2 domain, apple.driver-store[.]com, may mimic legitimate Apple infrastructure.

MiniRAT and the Potential npm Supply Chain Compromise

The supply chain component of the campaign may have emerged with the compromise of the @velora-dex/sdk package. Version 9.4.1, published to npm on April 7, 2026, reportedly contained MiniRAT—a Go-based backdoor that StepSecurity reports could upload files, execute shell commands, and download further payloads.

The injection technique could make this vector particularly insidious. StepSecurity documented that "There is no install hook involved: the payload fires on the first require() or import call." Execution could occur when the module is imported into the application code. StepSecurity measured approximately 330 milliseconds from module loading to the persistence attempt via launchctl, with the job registered as zsh.profiler.

The C2 IP address reported by StepSecurity for MiniRAT is 89.36.224.5. Wiz cites SafeDep and StepSecurity as converging sources on the potential npm compromise.

Distinguishing JINX-0164 from Other Groups

Tactical similarities to known groups may be evident, including recruitment-themed social engineering and macOS malware. However, Wiz has stated: "Similarly, the types of spoofing domains are similar to those used by other North Korean actors; however, JINX-0164 infrastructure does not have any overlaps with other publicly tracked North Korean groups." The report further notes there are "no infrastructure overlaps connecting JINX-0164 to Pyongyang at this stage."

This distinction is a finding noted by researchers. While the lack of technical overlap does not disprove an operational relationship, it indicates that known indicators may not align. The source does not provide an alternative national attribution. Details regarding geolocation and organizational structure remain unspecified.

Why It Matters

The current brief does not document specific corrective measures released by Wiz or StepSecurity. The source does not list available patches or official detection tools. It remains unspecified whether npm has removed the package or if corrected versions exist. The exact number of victims and the volume of stolen funds are not included in the dossier.

Furthermore, the source does not specify if Windows or Linux variants of AUDIOFIX exist. It is not documented whether the compromise of the @velora-dex/sdk package was conducted directly by JINX-0164.

The significance of this case could lie in the convergence of two phenomena: the macOS endpoint becoming a potential entry point for a supply chain attack. A developer accepting a meeting could potentially become the vehicle for poisoning downstream installations. The import-time execution technique in the npm package may expose limitations in current security controls.

The JINX-0164 campaign may exploit trust, professional workflows, and development tool architecture. This could make mitigation difficult and places a higher burden on provenance verification. The risk is presented as a shift in the security perimeter for crypto firms, where professional messaging of individual developers could be a decisive attack surface.

Sources

• https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
• https://www.darkreading.com/threat-intelligence/stealer-spoof-google-microsoft-apple-backdoors-macos
• https://thecyberwire.com/newsletters/daily-briefing/15/101
• https://www.cve.org/CVERecord?id=CVE-2026-48172
• https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence
• https://thehackernews.com/
• https://thehackernews.com/p/upcoming-hacker-news-webinars.html
• https://thehackernews.com/search/label/Threat%20Intelligence