NCSC-CH Week 23: coordinated job-seeker targeting (fake interviews, reshipping ID theft, LinkedIn-to-GitHub infostealer)

NCSC Switzerland's Week 23 report (9 June) documents three concurrent technique chains aimed at job seekers in Switzerland (NCSC-CH, 2026-06-09). The first sends fake interview-confirmation emails for plausible Swiss employers, linking to a counterfeit Google login that harvests credentials (T1566.002, T1078). The second uses fraudulent job offers demanding identity documents for "onboarding," with stolen Swiss IDs then used to order goods and run parcel-reshipping (freight-forwarder) fraud. The third operates through compromised LinkedIn recruiter profiles that direct candidates to download a "technical assessment" or "onboarding" GitHub repository carrying infostealer malware that targets crypto wallets, browser cookies and saved credentials (T1566.003, T1059.001, T1555). NCSC notes attackers systematically exploit applicants' urgency and unfamiliarity with new-employer processes to lower vigilance.

Why it matters to us: the LinkedIn→GitHub chain is a credible vector into corporate endpoints via employees in job-search mode and HR/talent teams handling external candidate code. Detection signal: git clone / GitHub downloads followed by script execution minutes after a LinkedIn contact (Sysmon EID 1, parent git.exe / python.exe from a freshly-cloned path). This is a national-CERT primary disclosure for its own jurisdiction.

On 2026-06-03 the five Five Eyes domestic intelligence agencies (ASIO, CSIS, FBI, MI5, NZSIS) released a joint bulletin warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate cleared personnel, academics, researchers and defence/policy staff (MI5; The Record, 2026-06-03; daily 2026-06-06). The tradecraft: operatives pose as recruiters or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Switzerland — outside Five Eyes but a hub for international organisations, financial regulation, and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression and give them a low-friction route to report unsolicited foreign-recruitment contact.

On 2026-06-03 the five Five Eyes domestic-intelligence services (ASIO, CSIS, FBI, MI5, NZSIS) released an unusual joint bulletin, Safeguarding Our Secrets, warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate people with access to classified or otherwise privileged information (MI5, 2026-06-03; The Record, 2026-06-03). Operatives pose as recruiters, consultants, HR representatives or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy / defence / trade research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Named target categories include security-clearance holders, military personnel, academics, researchers and journalists.

Why it matters to us: This is a human-intelligence tradecraft advisory rather than a technical-intrusion one, and Switzerland — outside Five Eyes but a hub for international organisations, financial regulation and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression, give them a low-friction route to report unsolicited foreign-recruitment contact, and treat unsolicited "paid policy paper" approaches to staff with administrative or network access as a counter-intelligence signal, not a side gig.

Wiz CIRT identified and named JINX-0164 on 2026-05-27, a financially motivated cluster active since mid-2025 against cryptocurrency organisations. Initial access is LinkedIn-based social engineering — fake recruiter personas direct targets to fraudulent video-conferencing platforms that deliver AUDIOFIX, a compiled-Python macOS binary functioning as both infostealer and backdoor. AUDIOFIX harvests Keychain contents, Chrome / Firefox / Safari credentials, SSH keys, AWS / GCP / Azure cloud-provider credentials, and credentials from 51 cryptocurrency-wallet browser extensions; persistence is a LaunchAgent plist under ~/Library/LaunchAgents. From the endpoint, JINX-0164 pivots into CI/CD infrastructure using stolen developer credentials and injects poisoned commits under legitimate developer identities; any team member building from the affected branches receives MINIRAT, a lightweight Go-based backdoor. The supply-chain escalation materialised through the @velora-dex/sdk npm package version 4.9.1 (trojanised 2026-04-07), which staged MINIRAT via LaunchCtl persistence. Wiz notes TTP overlap with prior DPRK-adjacent tradecraft (UNC1069, Sapphire Sleet) but stops short of formal attribution. The Hacker News writeup corroborates with additional MINIRAT detail. Mapped to T1566.003 (Spearphishing via Service: LinkedIn), T1543.001 (Launch Agent), T1555 (Credentials from Password Stores), T1195.002 (Compromise Software Supply Chain) and T1098.005 (Device Registration). For Swiss / EU SOCs the relevant exposure is Crypto Valley and any organisation whose developers build from npm dependencies that fan out to internal CI/CD — Sigstore signature verification, lock-file pinning of @velora-dex/sdk, and CI runner least-privilege are the operational asks.