JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
Summary
Hide ▲
Show ▼
A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal credentials and reach internal development systems. The operator has been active since at least mid-2025 and uses Audiofix to harvest Keychain, browser, SSH, cloud, and wallet-extension data, then abuses GitHub tokens to tamper with CI/CD pipelines. Wiz also says the activity trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT. Defenders are urged to watch for suspicious VPN use, secret exfiltration from build workflows, and unverified commits.
Related Happenings
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Y2K Operators Millenium RAT social-engineering distribution campaign
Campaign
H score73
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Y2K Operators Millenium RAT social-engineering distribution campaign
CampaignAbout this happening: The **Y2K Operators** are running a **social-engineering distribution campaign** that spreads **Millenium RAT** through **booby-trapped downloads**, exposing users to remote compr...
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Timeline
-
28.05.2026 10:54 3 articles · 1mo ago
JINX-0164 targets cryptocurrency organizations with recruiter lures and macOS malware
Initial DisclosureA previously undocumented threat actor tracked as JINX-0164 is targeting cryptocurrency organizations and developers with recruitment-themed social engineering, rogue meeting lures, and bespoke macOS malware to facilitate digital asset theft. The activity is assessed as active since at least mid-2025, includes credential theft and lateral movement into CI/CD and development infrastructure, and in at least one case is said to involve a supply chain attack.
Show sources
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware — thehackernews.com — 28.05.2026 10:54
- New Threat Actor Jinx-0164 Targets Crypto Developers on macOS — www.infosecurity-magazine.com — 28.05.2026 14:30