New Threat Actor Jinx-0164 Targets Crypto Developers on macOS

Wiz reports a financially motivated cluster dubbed Jinx-0164 targeting crypto firms since at least mid-2025 using LinkedIn-based social engineering and fake meeting domains to install a Python-based macOS stealer/RAT (Audiofix) that harvests credentials and keys; the group also abused stolen GitHub tokens to exfiltrate CI/CD secrets and inject poisoned commits, and trojanized an npm package to deliver a second backdoor (MINIRAT), creating a high-risk supply-chain and developer-pipeline propagation vector.