News

Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets

By Priya Das · Staff Writer, Cybersecurity 20h ago

Threat actors uploaded malicious versions of a NuGet package impersonating Sicoob's official C# software development kit to harvest banking credentials and cryptographic certificates from Brazilian financial institutions.

Versions 2.0.0 through 2.0.4 of the fake "Sicoob.Sdk" package on NuGet extract PFX certificates and client identifiers used for secure communications with Sicoob, a major Brazilian cooperative banking network. Researchers at Socket identified the campaign, which targets developers integrating Sicoob's legitimate banking APIs into applications.

PFX certificates serve as digital identity proofs in financial transactions. Stolen certificates allow attackers to impersonate legitimate banking clients, execute fraudulent transfers, or intercept encrypted communications. Client IDs paired with these certificates create a complete authentication package.

The attack exemplifies a broader supply chain vulnerability in package repositories. NuGet, Microsoft's package management platform, hosts thousands of third-party libraries developers download automatically during project builds. Attackers exploit naming similarity, creating packages with official-sounding names to deceive developers into installation.

Similar campaigns have targeted npm, Python's PyPI, and other repositories. In parallel attacks, malicious npm packages themselves act as backdoors for stealing cloud secrets like AWS credentials and API keys stored in environment variables.

Organizations using Sicoob's banking APIs face immediate risk if affected versions were pulled into production environments. Compromised PFX certificates enable account takeover and unauthorized transactions. Financial institutions relying on Sicoob must audit their dependencies, review authentication logs for suspicious activity, and rotate compromised credentials immediately.

Developers should verify package authenticity before installation. NuGet publishers should implement cryptographic signing. Repository platforms need faster typosquatting detection and stricter publisher verification. Security scanning tools integrated into CI/CD pipelines can catch malicious packages before

Key facts

Versions 2.0.0 through 2.0.4 of the fake "Sicoob.Sdk" package on NuGet extract PFX certificates and client identifiers used for secure communications with Sicoob, a major Brazilian cooperative banking network.
Researchers at Socket identified the campaign, which targets developers integrating Sicoob's legitimate banking APIs into applications.
PFX certificates serve as digital identity proofs in financial transactions.
Stolen certificates allow attackers to impersonate legitimate banking clients, execute fraudulent transfers, or intercept encrypted communications.

Why it matters

This general story is part of CyberWireDaily's daily monitoring of sources, companies, institutions, and trends shaping security breaches, threats & cyber news.

Source context

This article summarizes and contextualizes reporting from The Hacker News. The visible original source link is retained so readers can review the primary report directly.

Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets

Key facts

Why it matters

Source context

Related reading

ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface

Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit

New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks

Get Daily CyberWireDaily