The activity is being tracked as JINX-0164, a previously unreported financially motivated threat actor active since at least mid-2025. Investigators found that the group has targeted cryptocurrency organisations by approaching developers and employees through credible LinkedIn profiles, then steering them towards bogus online meeting platforms or job-related technical tasks that lead to malware installation.
The campaign marks a shift from conventional credential theft towards deeper attacks on development infrastructure. Once a developer’s workstation is compromised, the attacker seeks access to internal repositories, build systems and code distribution channels, turning the victim’s own engineering environment into a path for wider infection. At least one intrusion unfolded over about two weeks, beginning with social engineering and ending with malicious source-code changes designed to compromise additional endpoints.
The malware at the centre of the campaign is AUDIOFIX, a Python-based macOS stealer and remote access trojan. It is delivered through scripts hosted on spoofed infrastructure that mimics trusted technology services, including fake Apple-related domains. The payload is built to run on both Intel and Apple Silicon machines, increasing its usefulness against developer teams that rely heavily on macOS laptops.
After execution, AUDIOFIX attempts to gather credentials from macOS Keychain files, browser stores, password managers, local administrator accounts, SSH keys, configuration files, shell history and cryptocurrency wallet data. It also targets sessions from communications platforms such as Slack, Discord and Telegram, giving the attacker potential access to team discussions, engineering channels and operational details. Cloud secrets, including credentials linked to AWS, Google Cloud, Azure and Cloudflare, are also among the material sought.
The attacker’s behaviour shows a particular interest in software development pipelines rather than broad cloud exploitation. Although some cloud sign-in attempts were observed, the primary objective appeared to be the abuse of Git repositories and CI/CD systems. In one case, the actor injected AUDIOFIX into internal repositories, altered committer names and email fields to impersonate other developers, pushed code directly to main branches where protections were weak, and hijacked existing branches when direct access was unavailable.
This technique increases the risk of secondary infections because employees who pull code or build from compromised repositories may unknowingly execute the malware. It also creates a potential route into supply-chain attacks, where malicious code can be distributed through legitimate channels and appear to come from trusted internal teams.
JINX-0164 has also been linked to MiniRAT, a Go-based backdoor distributed earlier through a compromised version of the npm package @velora-dex/sdk, a toolkit associated with decentralised finance activity. That episode underlined the wider risk facing Web3 and crypto developers, who often depend on open-source packages, automated builds and rapid deployment workflows.
The campaign resembles tactics used by several North Korea-linked clusters that have targeted cryptocurrency workers through fake jobs, coding tests and video-call lures. However, investigators have not established enough evidence to link JINX-0164 to a state sponsor. The lack of infrastructure overlap with publicly tracked groups has kept attribution cautious, even though the sector focus and social-engineering methods are familiar to threat hunters.
The use of recruiter themes remains effective because developers are accustomed to technical screening, code challenges and online meetings. Attackers exploit that routine by presenting malicious downloads as meeting fixes, drivers or project dependencies. The approach is particularly dangerous in cryptocurrency firms, where developer machines may hold wallet data, deployment keys, exchange credentials and access to sensitive repositories.
The findings add to growing concern over developer workstations as part of the software supply chain. Security teams have traditionally focused on cloud environments, production servers and perimeter controls, but the campaign shows how a single laptop can become a bridge into source code, secrets and release systems. Strong branch protection, verified commits, hardware-backed keys, endpoint monitoring, restricted token scopes and tighter review of CI/CD secrets have become central defensive measures.
For cryptocurrency firms, the immediate risk is not limited to stolen wallets. A compromised developer account can expose private repositories, internal tooling, customer-facing code and package publishing rights. That combination can allow attackers to move from individual theft to broader ecosystem compromise, especially where release pipelines lack separation of duties or where automated systems accept code changes with limited scrutiny.
