A new threat actor, Jinx-0164, targets macOS cryptocurrency developers via social engineering on LinkedIn, luring victims to fake meeting domains that deploy a Python-based stealer called Audiofix. The malware harvests credentials, keys, and wallet data, and the actor further propagates it by hijacking GitHub tokens to inject malware into CI/CD pipelines and internal repositories. Defenders should monitor for the published indicators of compromise, enable GitHub IP logging, treat unverified commits as suspect, and scrutinize unexpected VPN service usage.
A previously unreported threat actor has been observed targeting cryptocurrency firms with custom macOS malware, fake recruiter approaches and the hijacking of internal development pipelines. Wiz has attributed the activity to a financially motivated cluster, now tracked as Jinx-0164, according to new analysis from the company. Active since at least mid-2025 and focused almost entirely on macOS, the actor shares techniques with North Korean groups such as UNC1069 , also known as Sleet. However, it implements these techniques differently and shows no infrastructure overlap with tracked actors. Wiz stopped short of linking it to any state-sponsored threat actor. Fake Meetings and a Cloned Audio Driver The intrusions typically begin on LinkedIn , where the attacker poses as a business contact or recruiter using a credible profile. The target is invited to a virtual meeting on a lookalike domain impersonating a service such as Microsoft Teams. Joining the call triggers a fake technical fault and a prompt to run a "fix," which installs the malware. The payload, a Python-based stealer and remote access tool named Audiofix, masquerades as a system audio driver and runs on both Intel and Apple Silicon machines. Audiofix harvests Keychain contents, browser credentials, SSH keys, cloud provider keys and details from 51 cryptocurrency wallet extensions. It also hijacks Discord, Slack and Telegram sessions and monitors the clipboard for copied wallet addresses. From Laptops to Code Pipelines Rather than pivoting into cloud accounts, Jinx-0164 turned harvested GitHub tokens against the victim's development infrastructure, using the open-source tool nord-stream to pull secrets from CI/CD pipelines. It then injected Audiofix into internal repositories, disguising commits under other developers' names and pushing them to main or existing branches. When colleagues built from the poisoned repositories, their machines were infected too, turning the build process into a propagation channel. Wiz said GitHub's Vigilant Mode, which flags unverified commits, helped expose the impersonation and halt the spread. Read more on North Korean groups: Hackers Use Deepfake Video Calls to Target Crypto Firms The group's reach has extended beyond direct intrusions. On April 7, it trojanized version 4.9.1 of the npm package @velora-dex/sdk, a widely used decentralized exchange toolkit, appending code that fetched a second macOS backdoor called MINIRAT. The recruitment-themed lure is itself well established among crypto-focused attackers, echoing earlier campaigns by groups such as Slow Pisces . Wiz urged defenders to watch for the published indicators of compromise, unexpected use of VPN services including Mullvad, Astrill and ExpressVPN, and secret exfiltration from CI/CD workflows. It also advised enabling logs that are off by default, such as GitHub IP logging, and treating unverified commits as suspect. Image credit: alexgo.photography / Shutterstock.com