Cryptocriminal JINX-0164 Targets Macs in Sophisticated Supply Chain Heist

A previously unknown threat actor has been targeting cryptocurrency organizations since at least mid-2025, using recruitment-themed social engineering and custom macOS malware to steal digital assets, according to researchers from Wiz. The operation, designated JINX-0164, employs credible LinkedIn profiles to approach victims under the guise of a job opportunity.

The social engineering scheme leads to a fake teleconference website where victims download a malicious program. Consequently, a bash script fetches a Python-based infostealer and remote access trojan codenamed AUDIOFIX from a domain masquerading as an Apple driver store. “The payload masquerades as a system audio driver named coreaudiod,” Wiz explained.

This malware steals a wide range of sensitive data, including credentials from password managers, browser data, SSH keys, and active sessions for Discord and Telegram. Furthermore, AUDIOFIX allows the attacker to move laterally into internal development infrastructure and modify source code to compromise other systems.

In a parallel supply chain attack, the threat actor compromised the legitimate @velora-dex/sdk npm package. The poisoned version, as detailed by SafeDep and StepSecurity, delivered a Go-based backdoor called MiniRAT.

The campaign’s focus on cryptocurrency and use of specific VPN services echoes tactics of North Korean threat clusters like BlueNoroff. However, Wiz stated there are no current infrastructure overlaps definitively linking JINX-0164 to Pyongyang.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Shiba Inu Hits Yearly Low, Faces 37% Drop Prediction
• Bitcoin falls below $73,000 on heavy ETF outflows
• Bitcoin longs defend $70K despite ETF outflow worries
• UK Sanctions HTX-Linked Entity for Russia Financial Services
• Nakamoto Stock Drops 10% Post Reverse Stock Split