ctipilot.ch

JINX-0164

campaign · campaign:jinx-0164-crypto-firms-linkedin-audiofix-minirat

JINX-0164 — financially motivated cluster targeting crypto orgs via LinkedIn recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD

Coverage timeline
1
first 2026-05-29 → last 2026-05-29
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-29Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
    researchWiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD

Where this entity is cited

  • research1

Source distribution

  • thehackernews.com1 (50%)
  • wiz.io1 (50%)

Entries about JINX-0164 (1)

2026-05-29 · view entry permalink →

Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD

notable research discovered 2026-05-29 05:00 UTC

Wiz CIRT identified and named JINX-0164 on 2026-05-27, a financially motivated cluster active since mid-2025 against cryptocurrency organisations. Initial access is LinkedIn-based social engineering — fake recruiter personas direct targets to fraudulent video-conferencing platforms that deliver AUDIOFIX, a compiled-Python macOS binary functioning as both infostealer and backdoor. AUDIOFIX harvests Keychain contents, Chrome / Firefox / Safari credentials, SSH keys, AWS / GCP / Azure cloud-provider credentials, and credentials from 51 cryptocurrency-wallet browser extensions; persistence is a LaunchAgent plist under ~/Library/LaunchAgents. From the endpoint, JINX-0164 pivots into CI/CD infrastructure using stolen developer credentials and injects poisoned commits under legitimate developer identities; any team member building from the affected branches receives MINIRAT, a lightweight Go-based backdoor. The supply-chain escalation materialised through the @velora-dex/sdk npm package version 4.9.1 (trojanised 2026-04-07), which staged MINIRAT via LaunchCtl persistence. Wiz notes TTP overlap with prior DPRK-adjacent tradecraft (UNC1069, Sapphire Sleet) but stops short of formal attribution. The Hacker News writeup corroborates with additional MINIRAT detail. Mapped to T1566.003 (Spearphishing via Service: LinkedIn), T1543.001 (Launch Agent), T1555 (Credentials from Password Stores), T1195.002 (Compromise Software Supply Chain) and T1098.005 (Device Registration). For Swiss / EU SOCs the relevant exposure is Crypto Valley and any organisation whose developers build from npm dependencies that fan out to internal CI/CD — Sigstore signature verification, lock-file pinning of @velora-dex/sdk, and CI runner least-privilege are the operational asks.

“JINX-0164 uses LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target crypto organizations” — Wiz Research

“JINX-0164 also distributes MiniRAT, a Go-based backdoor previously delivered via a compromised npm package (@velora-dex/sdk), enabling arbitrary command execution and payload retrieval on macOS systems” — The Hacker News

organized-crime espionage supply-chain identity mobile cloud global europe switzerland