JINX‑0164 Deploys Recruiter‑Phishing and Custom macOS Malware Against Cryptocurrency Companies
What Happened — A previously unknown threat group, dubbed JINX‑0164, launched a social‑engineering campaign that masquerades as legitimate recruitment outreach. Recipients receive malicious links or attachments that install a bespoke macOS backdoor, enabling the actors to infiltrate CI/CD pipelines and steal digital assets.
Why It Matters for TPRM —
- Recruiter‑phishing bypasses traditional email security by exploiting trust in hiring processes.
- macOS‑specific payloads expand the attack surface to Apple‑based development environments common in crypto firms.
- Successful compromise can lead to unauthorized cryptocurrency transfers, exposing third‑party risk to severe financial loss.
Who Is Affected — Cryptocurrency exchanges, wallet providers, blockchain‑as‑a‑service platforms, and any vendor that runs macOS‑based CI/CD or development tooling.
Recommended Actions —
- Verify that recruitment communications are vetted through a secure HR channel.
- Enforce strict code‑signing and application‑allow‑list policies on macOS workstations.
- Conduct phishing simulations focused on recruitment lures and audit CI/CD pipeline permissions.
Technical Notes — The campaign uses spear‑phishing emails with “We’d like to interview you” subject lines, delivering a signed macOS‑compatible installer that establishes persistence via launch agents. The malware harvests SSH keys, API tokens, and wallet credentials, then exfiltrates them over encrypted channels. No public CVE is associated; the tool appears to be custom‑written. Source: The Hacker News