Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

A JINX-0164 campaign is targeting cryptocurrency firms and developers with LinkedIn recruiter lures, a fake meeting-and-fix workflow, and macOS malware to steal credentials and reach internal development systems. The operator has been active since at least mid-2025 and uses Audiofix to harvest Keychain, browser, SSH, cloud, and wallet-extension data, then abuses GitHub tokens to tamper with CI/CD pipelines. Wiz also says the activity trojanized @velora-dex/sdk version 4.9.1 to deliver MINIRAT. Defenders are urged to watch for suspicious VPN use, secret exfiltration from build workflows, and unverified commits.

Related Happenings

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

How related: The payload, a Python-based stealer and remote access tool named Audiofix, masquerades as a system audio driver and runs on both Intel and Apple Silicon machines.

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

TeamPCP supply-chain credential-exploitation campaign

Campaign
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...

Latest development: 12.05.2026 01:03

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

Open Happening

Contagious Interview cryptocurrency social-engineering and malware-delivery campaign

Campaign
First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...

Open Happening

Storm-2561 fake enterprise VPN Hyrax infostealer activity

Malware Activity
First: 13.03.2026 15:23 Last: 13.03.2026 15:23 Sources 1

About this happening: A fake enterprise VPN installer is now delivering **Hyrax infostealer** components that steal **VPN credentials** and maintain persistence on **Windows** systems. The operation ma...

Open Happening

Timeline

  1. 28.05.2026 10:54 3 articles · 3h ago

    JINX-0164 targets cryptocurrency organizations with recruiter lures and macOS malware

    Initial Disclosure

    A previously undocumented threat actor tracked as JINX-0164 is targeting cryptocurrency organizations and developers with recruitment-themed social engineering, rogue meeting lures, and bespoke macOS malware to facilitate digital asset theft. The activity is assessed as active since at least mid-2025, includes credential theft and lateral movement into CI/CD and development infrastructure, and in at least one case is said to involve a supply chain attack.

    Show sources
    Open in new tab