AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The AUDIOFIX and MiniRAT malware activity is targeting cryptocurrency firms and developer infrastructure on macOS with LinkedIn recruiter lures, a fake meeting/fix flow, and a Python-based stealer/RAT that masquerades as a system audio driver. Wiz says the activity is attributed to Jinx-0164, a previously unreported financially motivated cluster active since mid-2025, and that the payload steals Keychain, browser, SSH, and cloud credentials, plus data from 51 cryptocurrency wallet extensions. The operation also abuses GitHub tokens to poison CI/CD pipelines and trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT, expanding the risk from endpoint compromise to supply-chain propagation.
Related Happenings
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
Vulnerability
H score23
First: 25.06.2026 14:00
Last: 25.06.2026 14:00
Sources 1
About this happening:
**macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
MacOS XPC cached signature trust privilege escalation privilege-escalation flaw
VulnerabilityAbout this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Timeline
-
28.05.2026 10:54 3 articles · 1mo ago
Wiz tracks JINX-0164 targeting cryptocurrency organizations with AUDIOFIX and MiniRAT
Initial DisclosureWiz identified JINX-0164 as a previously undocumented threat actor targeting cryptocurrency organizations and software developers with recruitment-themed social engineering and bespoke macOS malware to enable digital asset theft. The activity uses credible LinkedIn profiles, fake recruiter lures, a rogue meeting flow, and a fake driver store domain at apple.driver-store[.]com to deliver the Python-based macOS infostealer and remote access trojan AUDIOFIX, while a separate delivery path previously distributed the Go-based backdoor MiniRAT through a compromised @velora-dex/sdk npm package. AUDIOFIX steals credentials and other sensitive data, supports manual reconnaissance, exfiltration, arbitrary shell command execution, file deletion, and payload retrieval, and can move laterally into code distribution systems and development infrastructure; Wiz also said there are no infrastructure overlaps connecting JINX-0164 to publicly tracked North Korean groups at this stage.
Show sources
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- New Threat Actor Jinx-0164 Targets Crypto Developers on macOS — www.infosecurity-magazine.com — 28.05.2026 14:30