JINX-0164 hits crypto firms with fake recruiter macOS malware

What happened

JINX-0164 is a previously undocumented threat actor uncovered by Wiz researchers (Shira Ayal and team) targeting cryptocurrency organizations. The campaign uses *recruitment-themed lures*: fake recruiters reach out via LinkedIn or similar platforms, pitch a role, and get the target to execute what looks like a technical interview challenge. That challenge is the malware.

The payload is custom macOS malware — not an off-the-shelf RAT (remote access trojan). Built specifically for this campaign and this target demographic: crypto developers who run Mac. Attackers clearly understand their victims' tech stack.

The key differentiator: the campaign explicitly targets CI/CD infrastructure (continuous integration/deployment pipelines — where code gets built, tested, and shipped to production). That's not a generic backdoor play. That's surgical access to the most sensitive layer of a crypto org's stack.

Why it matters

Fake recruiter lures aren't new. Lazarus Group (a North Korea-linked APT (state-sponsored hacker group)) has run *Operation Dream Job* for years with the same pattern. A new actor — JINX-0164 — adopting the same playbook confirms the technique converts. The difference here is the macOS-native payload and the explicit CI/CD targeting.

Most mid-size crypto teams have pipelines with direct wallet access for smart contract deployment automation. Compromise CI/CD and you don't steal one wallet — you steal the wallet factory. Signing keys, hot wallet credentials, deployment scripts: all of it lives in that pipeline.

The macOS-specific malware also matters culturally. Crypto dev teams run Mac-heavy. Attackers know this. The assumption that "serious malware is a Windows problem" is exactly what JINX-0164 is exploiting.

What to do

• Developers: never run recruiter-provided code on your work machine. Clone-and-run "take-home challenges" are the oldest trick in this playbook. Use an isolated VM or refuse.
• Security teams / SOC (security operations center — the team monitoring threats in real time): audit CI/CD access controls immediately. Who has write access, what secrets are exposed as env vars, what runners touch wallets or signing keys.
• Enable MFA on all CI/CD accounts (GitHub Actions, GitLab CI, CircleCI, Jenkins).
• Review runner logs for unexpected outbound connections or anomalous process spawning.
• Deploy EDR (endpoint detection and response — next-gen AV with behavioral analysis) with macOS coverage across your full engineering fleet, not just Windows endpoints.

Wiz published fresh IOC (technical indicators that fingerprint the attack) data alongside the report. Search your logs against those indicators before JINX-0164 rotates infrastructure — which they will, now that they're named.