HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

JINX‑0164 Deploys Recruiter‑Phishing and Custom macOS Malware Against Cryptocurrency Companies

A newly identified threat actor, JINX‑0164, is targeting cryptocurrency firms with recruitment‑themed phishing emails that drop bespoke macOS malware. The payload infiltrates CI/CD pipelines, harvests wallet credentials, and can enable unauthorized crypto transfers, presenting a high‑impact third‑party risk.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

JINX‑0164 Deploys Recruiter‑Phishing and Custom macOS Malware Against Cryptocurrency Companies

What Happened — A previously unknown threat group, dubbed JINX‑0164, launched a social‑engineering campaign that masquerades as legitimate recruitment outreach. Recipients receive malicious links or attachments that install a bespoke macOS backdoor, enabling the actors to infiltrate CI/CD pipelines and steal digital assets.

Why It Matters for TPRM

  • Recruiter‑phishing bypasses traditional email security by exploiting trust in hiring processes.
  • macOS‑specific payloads expand the attack surface to Apple‑based development environments common in crypto firms.
  • Successful compromise can lead to unauthorized cryptocurrency transfers, exposing third‑party risk to severe financial loss.

Who Is Affected — Cryptocurrency exchanges, wallet providers, blockchain‑as‑a‑service platforms, and any vendor that runs macOS‑based CI/CD or development tooling.

Recommended Actions

  • Verify that recruitment communications are vetted through a secure HR channel.
  • Enforce strict code‑signing and application‑allow‑list policies on macOS workstations.
  • Conduct phishing simulations focused on recruitment lures and audit CI/CD pipeline permissions.

Technical Notes — The campaign uses spear‑phishing emails with “We’d like to interview you” subject lines, delivering a signed macOS‑compatible installer that establishes persistence via launch agents. The malware harvests SSH keys, API tokens, and wallet credentials, then exfiltrates them over encrypted channels. No public CVE is associated; the tool appears to be custom‑written. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →