AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The AUDIOFIX and MiniRAT malware activity is targeting cryptocurrency firms and developer infrastructure on macOS with LinkedIn recruiter lures, a fake meeting/fix flow, and a Python-based stealer/RAT that masquerades as a system audio driver. Wiz says the activity is attributed to Jinx-0164, a previously unreported financially motivated cluster active since mid-2025, and that the payload steals Keychain, browser, SSH, and cloud credentials, plus data from 51 cryptocurrency wallet extensions. The operation also abuses GitHub tokens to poison CI/CD pipelines and trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT, expanding the risk from endpoint compromise to supply-chain propagation.
Related Happenings
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
How related:
Wiz has attributed the activity to a financially motivated cluster, now tracked as Jinx-0164, according to new analysis from the company.
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignHow related: Wiz has attributed the activity to a financially motivated cluster, now tracked as Jinx-0164, according to new analysis from the company.
About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
EtherRAT malicious MSI loader with Ethereum-based C2
Malware Activity
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
EtherRAT malicious MSI loader with Ethereum-based C2
Malware ActivityAbout this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...
Timeline
-
28.05.2026 10:54 3 articles · 3h ago
Wiz tracks JINX-0164 targeting cryptocurrency organizations with AUDIOFIX and MiniRAT
Initial DisclosureWiz identified JINX-0164 as a previously undocumented threat actor targeting cryptocurrency organizations and software developers with recruitment-themed social engineering and bespoke macOS malware to enable digital asset theft. The activity uses credible LinkedIn profiles, fake recruiter lures, a rogue meeting flow, and a fake driver store domain at apple.driver-store[.]com to deliver the Python-based macOS infostealer and remote access trojan AUDIOFIX, while a separate delivery path previously distributed the Go-based backdoor MiniRAT through a compromised @velora-dex/sdk npm package. AUDIOFIX steals credentials and other sensitive data, supports manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval, and can move laterally into code distribution systems and development infrastructure; Wiz also said there are no infrastructure overlaps connecting JINX-0164 to publicly tracked North Korean groups at this stage.
Show sources
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- New Threat Actor Jinx-0164 Targets Crypto Developers on macOS — www.infosecurity-magazine.com — 28.05.2026 14:30