top of page
perceptive_background_267k.jpg

Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

Published:

27 mei 2026 om 13:52:45

Alert date:

27 mei 2026 om 16:03:27

Source:

wiz.io

Click to open the original link from this advisory

Ransomware & Malware, Supply Chain & Dependencies, Data Breach & Exfiltration, Cloud & Virtualization

Wiz Research identifies JINX-0164, a threat actor conducting sophisticated supply chain attacks against cryptocurrency organizations. The campaign uses LinkedIn social engineering to establish trust with targets, deploys custom macOS malware, and hijacks CI/CD pipelines to compromise software development infrastructure. The attacks specifically target the cryptocurrency industry's development processes, representing a significant threat to software supply chain security in the crypto sector.

Technical details

JINX-0164 uses sophisticated social engineering via LinkedIn profiles impersonating recruiters or business partners to deliver macOS malware. The attack chain includes: 1) Credible LinkedIn contact with fake meeting invites, 2) Malicious domains masquerading as conferencing platforms delivering AUDIOFIX Python-based infostealer or MINIRAT Go-based backdoor, 3) Credential harvesting from password managers, browsers, SSH keys, cloud credentials, and cryptocurrency wallets, 4) Lateral movement into CI/CD systems using stolen GitHub tokens and nord-stream tool, 5) Code injection into repositories with developer impersonation via Git commit manipulation. The malware uses AES-256-CBC encryption, communicates over HTTPS with C2 domains (datahub.ink, cloud-sync.online, byte-io.us), establishes persistence via launchctl, and includes TCC bypass and password phishing capabilities. Supply chain attacks involved trojanizing @velora-dex/sdk npm package.

Mitigation steps:

Enable endpoint monitoring with EDR solutions to detect malware IoCs and behaviors
Enable audit logs including cloud storage logs and IP logging in GitHub
Search for known IoCs including domains, IP addresses, file hashes, and file paths
Monitor for unexpected VPN usage, especially ExpressVPN, Astrill VPN, and Mullvad VPN
Look for GitHub Actions Secrets exfiltration via CI/CD pipelines
Search for nord-stream tool usage and unexpected workflow executions
Check for unverified commits on GitHub using Vigilant Mode
Monitor for publication of new code packages from anomalous IP addresses
Implement commit signature verification to detect developer impersonation
Review and secure GitHub Personal Access Tokens (PATs)
Monitor for malicious modifications to npm packages and other dependencies
Educate developers about social engineering tactics via LinkedIn and fake meeting invites

Affected products:

macOS systems (Intel and Apple Silicon)
@velora-dex/sdk npm package version 4.9.1
GitHub repositories and CI/CD pipelines
Cryptocurrency wallet browser extensions (26 types including MetaMask
Phantom
Coinbase Wallet
Binance Chain)
Browser applications (Chrome
Edge
Firefox
Safari)
Communication apps (Discord
Slack
Telegram
Signal)
Password managers and macOS Keychain
Cloud platforms (AWS
GCP
Azure credentials)
Development tools (SSH keys
Kubernetes configurations)

Related links:

https://www.stepsecurity.io/blog/velora-dex-sdk-compromised-on-npm-malicious-version-drops-macos-backdoor-via-launchctl-persistence
https://www.iru.com/blog/minirat
https://www.wiz.io/blog/github-attacks-pat-control-plane
https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits
https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/
https://www.reddit.com/r/CyberSecurityAdvice/comments/1qrwi9g/video_call_scam_attempt/
https://github.com/synacktiv/nord-stream

Related CVE's:

Related threat actors:

IOC's:

Domains: live.us.org, team.live.us.org, teams.live.us.org, apple.driver-store.com, bitget-meeting.com, datahub.ink, cloud-sync.online, byte-io.us, driver-updater.net, driver-store.com, driver-hub.net, driver-update.io, IP addresses: 185.100.85.250, 84.32.83.250, 163.172.53.20, 89.36.224.5, 153.92.126.84, 45.45.217.242, 208.115.220.17, 185.175.59.85, File hashes: 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 (MINIRAT ARM64), 65cba741fe30fa4799fb9002ea8de6d96042a59159dd7c3419c766af24c835e6 (AUDIOFIX ARM64), File paths: ~/Library/LaunchAgents/com.microsoft.teams.coreaudiod.plist, ~/Library/LaunchAgents/io.aircall.workspace.helper.plist, ~/.zsh_cache, /audio.lock, VPN services: ExpressVPN, Mullvad VPN, Astrill VPN, AES encryption key: v59l2uwlow9s1ebuscgfg9k9r4voxkbs, Git indicators: Committer name 'nord-stream', email 'nord-stream@localhost.com', branch name 'dev_remote_ea5Eu/test/v1'

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page