Find notable cyber news and cases, enriched with sources, timelines, and signals.

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

The AUDIOFIX and MiniRAT malware activity is targeting cryptocurrency firms and developer infrastructure on macOS with LinkedIn recruiter lures, a fake meeting/fix flow, and a Python-based stealer/RAT that masquerades as a system audio driver. Wiz says the activity is attributed to Jinx-0164, a previously unreported financially motivated cluster active since mid-2025, and that the payload steals Keychain, browser, SSH, and cloud credentials, plus data from 51 cryptocurrency wallet extensions. The operation also abuses GitHub tokens to poison CI/CD pipelines and trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT, expanding the risk from endpoint compromise to supply-chain propagation.

Related Happenings

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret

Campaign
H score9 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Timeline

  1. 28.05.2026 10:54 3 articles · 1mo ago

    Wiz tracks JINX-0164 targeting cryptocurrency organizations with AUDIOFIX and MiniRAT

    Initial Disclosure

    Wiz identified JINX-0164 as a previously undocumented threat actor targeting cryptocurrency organizations and software developers with recruitment-themed social engineering and bespoke macOS malware to enable digital asset theft. The activity uses credible LinkedIn profiles, fake recruiter lures, a rogue meeting flow, and a fake driver store domain at apple.driver-store[.]com to deliver the Python-based macOS infostealer and remote access trojan AUDIOFIX, while a separate delivery path previously distributed the Go-based backdoor MiniRAT through a compromised @velora-dex/sdk npm package. AUDIOFIX steals credentials and other sensitive data, supports manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval, and can move laterally into code distribution systems and development infrastructure; Wiz also said there are no infrastructure overlaps connecting JINX-0164 to publicly tracked North Korean groups at this stage.

    Show sources