A cyber group known as JINX-0164 has been conducting sophisticated attacks on cryptocurrency companies. This group uses LinkedIn as a platform to trick software developers into downloading malware specifically targeting macOS systems.
LinkedIn as a Tool for Cyber Attacks
Operating since at least mid-2025, JINX-0164 has effectively integrated social engineering, credential theft, and supply chain attacks. These tactics create a seamless threat to the software development process. The attacks begin with the creation of convincing LinkedIn profiles that approach targets with business proposals or job offers.
Once rapport is established, the victims are sent links to fake meeting pages resembling Microsoft Teams. Clicking these links results in the download of a macOS remote access tool that begins extracting sensitive data immediately.
Exploring the Malware Tools: AUDIOFIX and MINIRAT
Security experts at Wiz.io have identified JINX-0164 as a financially motivated actor using two distinct malware families: AUDIOFIX and MINIRAT. These tools primarily target macOS devices. AUDIOFIX is a Python-based backdoor that collects browser credentials, cryptocurrency wallet extensions, and other sensitive data.
This malware communicates with its command-and-control server using AES-256-CBC encryption and can adjust its polling intervals to evade detection. MINIRAT, a lightweight backdoor, registers infected machines with the same control infrastructure but focuses on providing remote access and command execution capabilities.
Implications for the Software Supply Chain
On April 7, 2026, JINX-0164 expanded its operations to the software supply chain by altering version 4.9.1 of the npm package @velora-dex/sdk. This modification allowed the deployment of a shell script that installs MINIRAT when the package is used in any project.
Although only npm credentials were compromised, this incident highlights the risks posed to the software supply chain. Organizations are advised to utilize Endpoint Detection and Response solutions and enable audit logging to detect anomalies.
Recommendations for Mitigation and Monitoring
Security teams should remain vigilant for unverified GitHub commits, unexpected VPN usage, and unusual workflow activities in CI/CD pipelines. Enabling GitHub Vigilant Mode can help detect impersonation attempts.
Monitoring for the use of tools like nord-stream and flagging unfamiliar IP addresses in code package publications can assist in early detection and prevention of such attacks.
By staying informed about the evolving tactics of groups like JINX-0164, organizations can better protect their infrastructure from these sophisticated threats.
