Best crypto insights delivered straight to your inbox.
- Hackers have impersonated business connections on LinkedIn and deployed custom macOS malware to target crypto developers.
- The group steals credentials and compromises CI/CD pipelines.
- JINX-0164 conducted at least one confirmed supply chain attack through a trojanized npm package.
A group of hackers, known as JINX-0164, has been contacting crypto developers via LinkedIn and inviting them to fake meetings that lead to the infection of their machines with custom macOS malware.
The malware steals login credentials and hijacks the pipelines developers use to build and deploy software. Cloud security firm Wiz published its findings on May 27, 2026.
Fake meeting link drops AUDIOFIX malware on devs machines
Wiz’s incident response team linked the group to attacks going back to at least mid of 2025.
Attackers reach out to a developer on LinkedIn using a profile that looks legitimate, suggest a business call, and send a link to a fake website made to look like Microsoft Teams or a similar video conferencing tool.
AUDIOFIX is the macOS virus that silently starts installation when a victim clicks on what they believe to be a meeting URL. It operates on Intel and Apple Silicon Macs and is delivered via a script stored on a fake Apple site. The virus sets itself up to continue operating after a restart, poses as a system audio component, and interacts with the attackers over HTTPS.
Once it is on the machine, it collects saved passwords from the macOS Keychain, browser credentials, SSH keys, cloud access tokens for AWS, GCP, and Azure, and crypto wallet data. Additionally, Wiz discovered that the attackers were directly phishing for passwords and storing them in encoded files.
JINX-0164 differs from other infostealers because it goes after internal code repositories and development infrastructure.
In a case study from early 2026, Wiz documented how the attackers used stolen GitHub tokens to extract secrets from CI/CD pipelines with an open-source tool called nord-stream. They then injected their AUDIOFIX malware into internal repositories, impersonating legitimate developers by forging Git commit metadata and pushing malicious code to main branches or hijacking existing ones.
Other developers who pulled and built from those poisoned repos got infected automatically. The organization’s own development workflow became the distribution mechanism. GitHub’s Vigilant Mode, which flags commits lacking verified GPG signatures, caught the impersonation in at least one case.
The group also carried out a confirmed supply chain attack on a public npm package. On April 7, 2026, JINX-0164 trojanized version 4.9.1 of @velora-dex/sdk, injecting a base64-encoded command that fetched and executed a remote script deploying MINIRAT. That’s a lightweight Go-based backdoor focused on persistence and remote command execution.
Attackers target cash and code from crypto devs
AUDIOFIX and MINIRAT share command-and-control domains like datahub[.]ink, cloud-sync[.]online, and byte-io[.]us. The attackers route their activity through Mullvad VPN, Astrill VPN, and ExpressVPN to hide their real location.
Wiz found some tactical similarities with North Korean threat clusters UNC1069 and Sapphire Sleet, but found no direct infrastructure overlap. They’re calling JINX-0164 a distinct and financially motivated threat actor.
In May, hackers compromised 170+ npm and PyPI packages, including the official Mistral AI Python library. That attack exposed GitHub tokens and cloud credentials owned by crypto and AI developers. This was also the first documented case of malicious packages carrying valid SLSA Build Level 3 provenance attestations, breaking the cryptographic trust model meant to verify build integrity.
Hacking crypto and AI developers usually leads to cash and valuable code. Crypto labs/companies should strengthen cybersecurity measures and review their CI/CD pipelines for any unauthorized access or malicious activities. Unauthorized GitHub actions, commits with unverified signatures and unusual VPN connections are all warning signs. Developers who joined meetings sent via LinkedIn should scan their computers for viruses.
If you're reading this, you’re already ahead. Stay there with our newsletter.
FAQs
What is JINX-0164?
JINX-0164 is a financially motivated threat actor identified by Wiz that has been active since at least mid of 2025.
How does the JINX-0164 attack start?
The attackers contact developers on LinkedIn using credible profiles, propose a virtual meeting, and send a link to a malicious domain. When the victim runs the fake meeting client, it delivers macOS malware called AUDIOFIX.
What should crypto developers do if they suspect compromise?
Developers should rotate GitHub tokens, SSH keys, cloud credentials, and any crypto wallet keys. They should audit CI/CD pipelines for unauthorized activity, and check repositories for unverified commits.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Randa Moses
Randa Moses is an editor and reporter at Cryptopolitan covering tech, AI, robotics, crypto, scams, and hacks. She has worked in the crypto space since 2017. She held roles at Forward Protocol, AmaZix, and Cryptosomniac. Randa holds a degree in Electrical and Electronics Engineering from the University of Bradford.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)