Wiz Disclosed JINX-0164, a New macOS Threat Actor Hitting Crypto Devs With Recruiter Lures

JINX-0164 is the second documented operator running the recruiter-lure-plus-custom-macOS-payload-plus-CI/CD playbook against cryptocurrency developers — and whether it extends the Lazarus operator population or duplicates it, the playbook itself is now the documented attack profile for the sector.

NEW YORK, NEW YORK — On May 27, 2026, Wiz Research disclosed JINX-0164, a previously unreported threat actor running a campaign that targets cryptocurrency-organization developers with LinkedIn recruiter lures, custom macOS malware, and the hijacking of victim CI/CD infrastructure. In a blog post titled "Commit to Compromise," the Wiz Customer Incident Response Team (CIRT) and Wiz Research — including researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read — describe a financially motivated cluster of activity active since at least mid-2025, with intrusions that move laterally from a single compromised developer laptop into the targeted organization's code-distribution systems and pipelines.

The campaign uses two custom macOS payloads — AUDIOFIX, a Python-binary infostealer-and-backdoor, and MINIRAT, a Go backdoor delivered through an April 2026 npm supply-chain operation against the `@velora-dex/sdk` package — and routes both to a hard-coded primary command-and-control domain, `datahub.ink`. The disclosure was carried across the May 27-28, 2026 coverage cycle by The Hacker News and Infosecurity Magazine.

What Happened

Wiz Research disclosed JINX-0164 on May 27, 2026, after Wiz CIRT investigated multiple intrusions at cryptocurrency organizations and found a consistent pattern: a developer is approached on LinkedIn by a credible-looking profile, agrees to a virtual meeting, follows the meeting link to a domain masquerading as a teleconference provider, and unknowingly downloads and runs a macOS payload that gives the operator remote access. Wiz tracks the cluster as a previously unreported, financially motivated actor active since at least mid-2025. Multiple intrusions follow the same playbook closely enough that Wiz treats them as one operator population.

Once on the developer's machine, the campaign's documented post-compromise focus is the victim organization's code-distribution and CI/CD infrastructure. The AUDIOFIX payload harvests Keychain contents, browser credentials, SSH keys, cloud-provider keys, and the details of 51 cryptocurrency-wallet browser extensions, and it hijacks Discord, Slack, and Telegram sessions and watches the clipboard for copied wallet addresses. GitHub tokens captured from the endpoint are then turned against the victim's own development infrastructure — the operator uses the open-source nord-stream tool to extract GitHub Actions secrets from CI/CD pipelines and pushes the AUDIOFIX payload back into internal repositories under spoofed commit-author identities. When other employees build from the poisoned repositories, their machines are infected in turn, and the build process itself becomes a propagation channel.

The Recruiter Lure, the Fake Teleconference, and the macOS Payload

JINX-0164's initial-access tradecraft is the part of the campaign that is most operationally familiar. The attacker approaches a developer on LinkedIn from a profile that looks credible — established connections, relevant employment history, alignment with the cryptocurrency industry — and offers a business meeting. The meeting invite carries a link to a domain that imitates a teleconference provider, and clicking it triggers what looks like a routine client download. The download is the AUDIOFIX macOS payload. The compromised LinkedIn profiles, Wiz notes, sometimes belong to real cryptocurrency-industry professionals whose accounts were taken over, and sometimes belong to convincing personas that are deleted within days of the compromise and never re-enabled — a tell that they were stood up specifically for the operation. The pattern is the same whether the operator behind it is JINX-0164 or one of the documented North Korean clusters: the recruiter is the front door.

AUDIOFIX, MINIRAT, and a Supply-Chain Operation on npm

JINX-0164 uses two custom macOS malware families, both compiled to run on ARM64 and x86_64. AUDIOFIX is a Python binary that combines an infostealer with backdoor functionality, used in the initial-access incidents Wiz investigated. MINIRAT is a lighter Go backdoor — host fingerprint, public-IP registration with a command-and-control server, file upload and download, and arbitrary shell-command execution — and it was distributed through a separate supply-chain operation. On April 7, 2026, JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk, an SDK for the Velora DEX aggregator, by appending three lines to its compiled dist/index.js — the package, when imported, fetched a shell script that downloaded MINIRAT. The corresponding source code on GitHub was not modified, suggesting the operators held npm credentials but not source-repository access. Both malware families share the same three hard-coded C2 domains, with datahub.ink as the primary and cloud-sync.online and byte-io.us as backups; a slightly modified MINIRAT sample uploaded to VirusTotal on May 8, 2026 indicates the actor continues to operate.

The Lazarus-Playbook Comparison — and the Hedge

What makes JINX-0164 significant beyond the technical details is the playbook it runs. Fake recruiter, custom macOS payload, GitHub-token theft, CI/CD-pipeline propagation — that is the documented North Korean Lazarus-umbrella crypto-developer attack profile, and it is the same profile The CyberSignal covered just five days earlier in the Fox-IT disclosure of the Lazarus RemotePE memory-only RAT against finance and crypto organizations. Wiz draws the comparison explicitly: it notes that JINX-0164's tactics and malware capabilities have analogues in UNC1069 (Sleet) and that the spoofing domains resemble those used by other North Korean actors. But Wiz preserves the attribution hedge. While the similarities suggest some association, Wiz writes, JINX-0164's implementations are distinct from UNC1069/Sleet's, and JINX-0164 infrastructure does not overlap with publicly tracked North Korean groups. The cluster is, in Wiz's framing, previously unreported and not attributed to any named state-aligned actor. The CrowdStrike 2026 FinServ report documented $2.02 billion in DPRK theft from the financial sector in 2025 with a 51% year-over-year increase, and ESET's October 2025 - March 2026 APT report tracked Lazarus's continued operations alongside DPRK targeting of crypto assets — JINX-0164 either extends that operator population or duplicates its tradecraft, and both readings carry weight.

Scope and Impact

The reason the disclosure matters for crypto-sector defenders is the propagation pattern. AUDIOFIX does not stop at the developer's laptop — it harvests the GitHub tokens stored or used on the endpoint, and the operator turns those tokens against the organization's own CI/CD pipelines. From there, the operator uses the open-source nord-stream tool to extract GitHub Actions secrets, then pushes the AUDIOFIX payload back into internal repositories under spoofed commit-author identities so that any colleague who builds from the poisoned branch is infected in turn. Wiz observed the technique caught in one incident by GitHub's Vigilant Mode commit-signature checking, which surfaced a mismatch between the signing GPG key's historical user and the listed commit author — a useful detection signal for any organization that does not currently enforce it. The blast radius of a successful single-developer compromise is therefore the organization's pipeline and any colleague who builds from a poisoned repository, not a single host.

Several specifics remain unconfirmed and should not be inferred. Wiz does not name the victim organizations, does not say how many cryptocurrency organizations were compromised in total, and does not publish the dollar value of digital assets that have been stolen. Whether the operators behind JINX-0164 are operationally distinct from the documented North Korean clusters or share personnel and tooling with them is not stated by Wiz and should not be assumed — Wiz's framing is that JINX-0164 is previously unreported and that its implementations differ from UNC1069/Sleet despite playbook similarities. Whether the slightly modified MINIRAT sample uploaded to VirusTotal in May 2026 corresponds to additional victim organizations beyond the trojanized @velora-dex/sdk distribution is not detailed. And while the supply-chain operation against Velora's npm package is documented, the downstream victim count — how many developers and projects pulled the trojanized SDK before its removal — is not reported.

JINX-0164 lands inside a broader cluster of crypto-developer-targeted activity that The CyberSignal has tracked through May 2026. The same week it was disclosed, Fox-IT published the Lazarus RemotePE memory-only RAT used as the final stealth stage of Lazarus intrusions into financial and cryptocurrency organizations. Earlier in the month, CrowdStrike's 2026 FinServ Threat Landscape Report documented $2.02B in DPRK digital-asset theft — driven by PRESSURE CHOLLIMA, FAMOUS CHOLLIMA, and STARDUST CHOLLIMA running, between them, the same fake-recruiter, AI-persona, and supply-chain primitives JINX-0164 uses. And ESET's October 2025 - March 2026 APT report tracked the same operator population across the broader six-month window. JINX-0164 is the third disclosure in May that draws the same playbook against the same sector.

Response and Attribution

For crypto-organization CISOs and security teams, the immediate brief is to your recruiting function and your developers: fake-recruiter macOS lures targeting cryptocurrency-organization developers are a documented current threat, and the entry point is a LinkedIn message followed by a teleconference link. Treat any unsolicited recruiter outreach to a developer at a crypto firm as a high-risk vector by default, and audit macOS developer endpoints for unsigned binaries, anomalous launch agents and daemons in `~/Library/LaunchAgents/` and `/Library/LaunchDaemons/`, and unexpected outbound network connections — particularly to `datahub.ink`, `cloud-sync.online`, or `byte-io.us`. Tighten CI/CD-pipeline access for developer endpoints; JINX-0164's documented post-compromise focus is the pipeline, not the host, and any successful developer compromise should be triaged as a CI/CD-compromise hypothesis from the first minute.

For SOC and threat-hunting teams, hunt outbound from macOS developer endpoints to cryptocurrency-exchange-impersonating, recruiter-platform-impersonating, and teleconference-impersonating infrastructure. Pivot on the JINX-0164 indicators Wiz has published — the three hard-coded C2 domains, the AUDIOFIX and MINIRAT sample hashes, and the @velora-dex/sdk trojanized-package version (4.9.1). Add GitHub-audit-log monitoring for git push activity that originates from an endpoint different from the listed commit author's usual one, and enable GitHub's Vigilant Mode commit-signature verification to surface developer-impersonation in commits — the same control that caught JINX-0164 in one of the Wiz-investigated incidents. For incident-response teams at crypto firms, the assumption to bake into the IR plan is that any successful targeted-developer compromise has CI/CD blast radius — rotating CI/CD secrets, cloud credentials, and GitHub and npm tokens is part of the response, not an optional cleanup step.

On attribution, the honest position is that there is none. Wiz preserves the hedge — analogues to UNC1069/Sleet, no infrastructure overlap, previously unreported actor — and so does this account. For CISOs, the more useful framing is that the crypto-developer-plus-fake-recruiter-plus-macOS-plus-CI/CD pattern is now operationally established across at least two documented actors in May 2026: Lazarus, per the Fox-IT RemotePE disclosure, and JINX-0164, per today's Wiz disclosure. Regardless of how attribution ultimately resolves, the playbook itself is the documented attack profile for the sector, and the defensive posture should be built against the playbook.

The CyberSignal Analysis

Signal 01 — The Playbook Is Now the Signal, Not the Operator

Most coverage of JINX-0164 will frame the disclosure as a new threat actor in the wild. The more important reading is the opposite: the playbook is so consistent across documented operators in this sector that the playbook itself is the durable defensive signal, regardless of which operator runs it. Recruiter lure on LinkedIn, fake-teleconference download, custom macOS payload, GitHub-token theft, nord-stream against CI/CD secrets, and AUDIOFIX-style propagation back into internal repositories — that sequence is now the documented attack profile for the cryptocurrency sector. The defensive implication is structural. Crypto-organization defenders should not wait for an attribution call before treating that sequence as the operating threat model; they should build detection, awareness, and IR muscle memory against the playbook now, and let attribution catch up when and if it does.

Signal 02 — A Single Developer Endpoint Is a CI/CD Incident

The detail in the Wiz disclosure that should change how crypto-sector IR teams plan is the propagation path. AUDIOFIX harvests GitHub tokens, the operator uses nord-stream to extract GitHub Actions secrets, and the operator pushes the payload back into internal repositories under spoofed commit identities so that any colleague who builds from the poisoned branch is infected. The blast radius of a single developer compromise is therefore the pipeline and every developer who pulls from it, not the host that was compromised. That changes the triage default. A successful targeted compromise of a crypto-firm developer is, until proven otherwise, a CI/CD-compromise hypothesis — and the IR playbook should treat secret rotation, pipeline integrity review, and colleague-machine triage as first-hour actions, not week-two cleanup.

Signal 03 — Attribution Hedges Are a Discipline, Not a Cop-Out

Wiz had every cue to attribute JINX-0164 to a North Korean cluster — the targeting matches Lazarus-umbrella patterns, the tradecraft overlaps with UNC1069 and Sapphire Sleet, the spoofing-domain styles resemble those of documented North Korean actors. Wiz chose instead to preserve the hedge: analogues, not attribution; previously unreported, not Lazarus subgroup. That discipline matters. Misattribution distorts the threat picture for defenders and policymakers alike, and a hedged disclosure that lets the operator population be tracked on its own terms is more useful than a confident name that turns out to be wrong. The CyberSignal preserves the hedge with Wiz here for the same reason. The right defensive posture in the meantime is to assume the playbook is the threat — and to treat which operator is running it on any given day as a question for evidence, not vibes.

Sources