- JINX-0164 uses fake LinkedIn recruiters to install AUDIOFIX malware on developer machines.
- Attackers harvest GitHub tokens to inject malicious code directly into development pipelines.
- Group trojanised npm package velora-dex/sdk on April 7 distributing backdoor to crypto devs.
A previously undocumented threat actor is systematically targeting cryptocurrency developers through fake LinkedIn recruitment campaigns, installing custom malware on their computers and then using that access to compromise the company’s entire software development infrastructure.
Security firm Wiz has named the group JINX-0164 and has been tracking it since at least mid-2025. The group has conducted multiple successful intrusions against cryptocurrency organisations, in at least one case attempting a full supply chain attack by distributing malicious code through a widely used public package.
How the Attack Works
The attack follows a consistent pattern across every documented case:
- A credible LinkedIn profile reaches out with a job opportunity or business proposal
- The target is invited to a virtual meeting through what appears to be Microsoft Teams or a similar platform
- The meeting link leads to a fake domain where a malicious file is downloaded under the guise of fixing an audio or technical problem
- The file installs AUDIOFIX, a custom Python-based malware with full remote access capabilities
- Attackers harvest passwords, SSH keys, browser credentials, cryptocurrency wallet extensions, AWS and cloud API keys, and active sessions from Discord, Slack, and Telegram
- GitHub tokens extracted from the compromised machine are used to access internal code repositories
- Malicious code is injected directly into the development pipeline, infecting every other developer who pulls from those repositories
The entire process from initial LinkedIn contact to full pipeline compromise took two weeks in one documented case.
The Supply Chain Attack
On April 7, 2026, JINX-0164 trojanised version 9.4.1 of the npm package @velora-dex/sdk, a widely used cryptocurrency SDK. Three lines of malicious code were appended to the package that silently downloaded a lightweight backdoor called MINIRAT whenever the package was imported by any developer.
The attack targeted npm credentials rather than the GitHub source code, meaning the repository appeared clean while the published package was compromised.
Related: FIFA World Cup 2026 Turns Into Crypto Prediction Battleground
Why Developers Are the Target
Developer machines hold credentials for every system the developer touches. Cloud infrastructure, code repositories, package managers, internal APIs. JINX-0164 showed almost no interest in traditional cloud resources after gaining access. Their focus was exclusively on code distribution systems and development infrastructure, the most efficient path to reaching thousands of end users through a single trusted package.
What to Watch For
Wiz identified several indicators that helped detect the attack including unverified commit badges on GitHub’s Vigilant Mode, mismatches between GPG key history and commit authors, and git push activities traced back to a single compromised endpoint through audit logs.
The group routes all activity through Mullvad, Astrill, and ExpressVPN to mask their origin. While no definitive attribution has been confirmed, Wiz noted tactical similarities to North Korean threat groups including UNC1069 and Sapphire Sleet, though no infrastructure overlap with known groups has been identified.
Related: Michael Saylor Outlines the Four Bitcoin Ideologies
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
