Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: linkedin-lures (1 article)Clear

JINX-0164 targets crypto firms with LinkedIn recruiter lures and macOS AUDIOFIX malware - lateral move into CI/CD code distribution

Wiz has documented JINX-0164, a previously undocumented financially-motivated threat actor targeting cryptocurrency firms via recruitment-themed social engineering and bespoke macOS malware since at least mid-2025. The chain starts with credible LinkedIn profiles offering virtual meetings; victims are steered to a rogue teleconference page that delivers a malicious 'meeting client.' A bash script then pulls AUDIOFIX, a Python-based macOS infostealer and RAT, from apple.driver-store[.]com. The payload is architecture-aware (Intel and Apple Silicon), saved as ChromeUpdater, masquerades as the system audio daemon coreaudiod, and persists via launchctl. AUDIOFIX moves laterally from developer laptops into code-distribution and CI/CD infrastructure, modifying source code to steal wallets at scale.

Check
Train developer and finance teams against LinkedIn recruiter approaches followed by 'meeting client' downloads. Hunt macOS endpoints for ChromeUpdater, coreaudiod imposters, and launchctl-loaded LaunchDaemons.
Affected
Cryptocurrency firms and crypto-adjacent developers using macOS, especially with access to CI/CD or code-distribution infrastructure. LinkedIn recruitment lures are the dominant initial vector.
Fix
Apply Wiz IoCs including apple.driver-store[.]com. Restrict launchctl persistence to known LaunchDaemons. Require strong identity attestation before any new meeting-client install. Audit CI/CD signing keys.