Overview
- Wiz published detailed findings on Thursday, May 28, 2026, naming the previously undocumented financially motivated cluster JINX-0164 and describing active targeting of cryptocurrency firms and developers.
- Attackers pose as recruiters on LinkedIn and invite targets to meetings on cloned teleconference domains that trigger a fake error prompting a downloaded “fix” that installs malware.
- A bash script hosted on a fake driver-store domain delivered an architecture-aware payload that masqueraded as an audio driver called coreaudiod, was saved as ChromeUpdater, and was executed via launchctl on macOS.
- Compromised endpoints received a Python-based infostealer and the AUDIOFIX remote-access trojan, which can steal keychain and browser credentials, run shell commands, exfiltrate files, and move laterally into development systems.
- The actor also trojanized an npm package (@velora-dex/sdk) to deliver a MiniRAT backdoor, and investigators note tactical parallels with North Korean groups but report no confirmed infrastructure overlap, leaving attribution open while warning that poisoned builds can propagate infections across teams.