216.73.216.77

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

· Published 28/05/2026 12:51 · Modified 28/05/2026 15:35

Export JSON

Essential information

Published
28/05/2026 12:51
Modified
28/05/2026 15:35
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
audiofix ci/cd hijacking cryptocurrency developer targeting linkedin phishing macos minirat npm trojan social engineering supply chain attack
Tags
2026-05-28 audiofix ci/cd hijacking cryptocurrency developer-targeting linkedin phishing macos minirat npm trojan social engineering supply chain attack
Related entities
82 indicators, 82 observables, 1 intrusion sets (apt), 2 malware, 49 others

Description

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against organizations. The actor employs LinkedIn-based , posing as recruiters or business partners to deliver custom malware including (a Python-based infostealer and RAT) and (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

External references