That Recruiter in Your DMs Is Installing Malware on Your Mac

#A developer got a LinkedIn message about a job opportunity. Now his company's crypto wallets are empty.

This isn't hypothetical. In late May 2026, security researchers identified a threat actor tracked as JINX-0164 running a targeted campaign against cryptocurrency developers. The playbook is straightforward: approach developers through professional networks posing as recruiters, build rapport, then get them to run something on their machine. A coding challenge. A meeting app. A "quick demo" of a project.

That something installs two custom malware families on macOS. One is a Python-based infostealer and backdoor. The other is a lightweight Go backdoor. Together, they harvest everything worth stealing on a developer's machine.

Everything.

#What they're stealing.

Once the malware is running, it goes after:

• macOS Keychain contents -- every password, certificate, and key your system stores
• Browser credentials -- saved passwords across all browsers
• SSH keys -- direct access to every server the developer can reach
• Cloud tokens -- AWS, GCP, Azure, whatever's cached locally
• Cryptocurrency wallet browser extensions -- credentials for dozens of wallet extensions
• Clipboard contents -- actively monitoring for copied wallet addresses to swap in the attacker's address

That last one is particularly nasty. You copy a wallet address to send a payment, and the malware silently replaces it with the attacker's address. You paste, you send, and the money is gone. You won't notice until you check the transaction on-chain and realize it went somewhere you've never seen before.

#The social engineering is the actual weapon.

The malware is just the payload. The real attack is the conversation that happens before it.

JINX-0164 creates convincing recruiter and business personas on LinkedIn and other professional networks. They don't blast out mass messages. They target specific developers -- people working in cryptocurrency, DeFi, blockchain infrastructure. They do their homework. They reference your actual work. They know your tech stack.

Then they invite you to a meeting using a lookalike domain. Something that looks like Zoom or Google Meet but is actually a site that prompts you to install their "meeting client." Or they send you a coding challenge as part of a "technical interview" that requires running their code locally.

This is the same fundamental technique I wrote about in 5 Social Engineering Attacks Hitting Chicago Businesses Right Now. The attack targets the person, not the system. No firewall catches this. No antivirus flags the initial conversation. By the time something executable hits the developer's machine, they've already decided to trust the person who sent it.

#They're also poisoning the supply chain.

Here's where it gets worse. JINX-0164 isn't just doing one-on-one social engineering. They also trojanized a DEX SDK package on npm. Anyone who installed that package as a dependency got a backdoor included for free.

If that sounds familiar, it should. I wrote about exactly this pattern in Your Code Editor Just Became a Backdoor, where a compromised VS Code extension led to the breach of 3,800 GitHub repositories. Same playbook, different vector. Attackers are running through every part of the developer toolchain -- extensions, npm packages, meeting apps, coding challenges -- because developers are high-value targets with access to everything.

Two parallel attack vectors targeting the same ecosystem. Social engineering to compromise individual developers. Supply chain poisoning to compromise anyone who installs the wrong dependency. JINX-0164 is running both simultaneously.

#Why this matters if you're not a crypto company.

You might be reading this thinking "we don't do crypto, this doesn't apply to us." Stop.

Your developers use the same tools. The same macOS machines. The same SSH keys. The same cloud credentials. The malware that steals crypto wallet extensions also steals AWS credentials, Kubernetes configs, and every password in the Keychain. A developer at a logistics company, a healthcare startup, or a law firm SaaS product is just as compromised if they fall for this.

And the social engineering technique -- fake recruiters reaching out on LinkedIn -- works on any developer in any industry. Developers get recruiting messages constantly. It's background noise. Which makes it the perfect disguise.

If your company has developers, those developers are potential targets for social engineering through recruitment channels. Full stop.

#What to do about it.

1. Brief your development team on this specific threat.

Not a generic security training. Show them this campaign. Show them that threat actors create fake recruiter profiles and send coding challenges that install backdoors. Make it real. Developers respond to technical specifics, not abstract warnings about "being careful online."

2. Establish a policy for unsolicited recruiting contacts.

Your developers should treat any unsolicited outreach that involves running code, installing software, or clicking meeting links from unknown contacts as high-risk by default. No coding challenge from a stranger should ever run on a work machine. If a recruiter wants a technical assessment, it happens in a sandboxed environment or a browser-based IDE, never on the developer's primary workstation.

3. Audit your npm dependency trees.

If your projects have any dependencies on DEX SDKs or cryptocurrency-related packages, audit them now. Look for unexpected packages, recent maintainer changes, or suspicious post-install scripts. Tools like Socket.dev can flag packages with known supply chain risks.

4. Deploy endpoint detection on developer machines.

Your EDR solution needs to flag unusual process spawning patterns. Python or Go processes launching from an IDE context or from npm install hooks is abnormal behavior. If your endpoint protection can't distinguish between a developer running their own code and malware spawning from a package install, you need better endpoint protection.

5. Review Keychain access and rotate credentials.

If any developer on your team has interacted with suspicious recruiting outreach in the past few months, treat it as a potential compromise. Review macOS Keychain access logs. Rotate cloud credentials, SSH keys, and API tokens. Check browser extension permissions. This is the kind of thing where "better safe than sorry" is the only rational position.

6. Separate recruiting from development infrastructure.

Developers who actively job search or respond to recruiters should not be doing it on the same machine where they have production credentials. This is a hard sell culturally, but it's the reality. The machine where you browse LinkedIn and open attachments from strangers should not be the same machine that has SSH access to your production database.

#The pattern is clear.

JINX-0164 is one actor. But the technique -- social engineering through professional networks to get developers to run malicious code -- is being used by multiple groups across multiple industries. This is the trajectory. Developers are the new high-value targets because they hold credentials to everything, and the channels they use professionally (LinkedIn, GitHub, npm, VS Code Marketplace) have become attack surfaces.

Your developers are smart. That doesn't make them immune. Smart people fall for social engineering every day because the attacks are designed to exploit trust, not stupidity.

Train them. Give them policies that make the right behavior the easy behavior. And assume that if someone's targeting crypto developers today, they're targeting your developers tomorrow.

#Further reading

• The Hacker News - JINX-0164 Campaign - original reporting on the threat actor
• Infosecurity Magazine - JINX-0164 - additional coverage and analysis
• Socket.dev - supply chain security for npm, PyPI, and Go packages
• Objective-See - free macOS security tools including process monitoring