top of page
perceptive_background_267k.jpg

Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets

Published:

29 mei 2026 om 09:11:25

Alert date:

29 mei 2026 om 11:01:45

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Enterprise Applications

Cybersecurity researchers discovered a malicious NuGet package masquerading as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems. The package, versions 2.0.0 through 2.0.4 of 'Sicoob.Sdk', contains functionality to exfiltrate sensitive information including client IDs and PFX certificates. This represents a supply chain attack targeting banking credentials and certificates used for financial authentication. The attack specifically targets developers integrating with Sicoob's banking system.

Technical details

The malicious Sicoob.Sdk NuGet package versions 2.0.0-2.0.4 steals PFX certificates and credentials when developers instantiate SicoobClient. It reads PFX files from disk, Base64-encodes contents, and sends client ID, PFX password, and encoded PFX data to a hardcoded Sentry endpoint. The package also captures Boleto API responses via separate Sentry path. There's a source-to-package mismatch between the linked GitHub repository and NuGet artifact. The 14 malicious npm packages use typosquatting to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD secrets through preinstall hooks and purpose-built credential harvesters.

Mitigation steps:

Immediately remove Sicoob.Sdk package
Treat PFX material as compromised
Replace exposed PFX certificates
Rotate PFX passwords
Change or disable affected client IDs
Audit Sicoob authentication and API logs for unusual activity
Check for installation of malicious npm packages listed
Monitor environment variables for unauthorized access
Review CI/CD pipeline secrets and tokens

Affected products:

Sicoob.Sdk versions 2.0.0-2.0.4
@vpmdhaj/devops-tools
@vpmdhaj/elastic-helper
@vpmdhaj/opensearch-setup
@vpmdhaj/search-setup
app-config-utility
elastic-opensearch-helper
env-config-manager
opensearch-config-utility
opensearch-security-scanner
opensearch-setup
opensearch-setup-tool
search-cluster-setup
search-engine-setup
vpmdhaj-opensearch-setup
forge-jsxy
forge-jsx

Related links:

https://socket.dev/blog/malicious-nuget-package-impersonates-sicoob-sdk
https://www.nuget.org/packages/Sicoob.Sdk
https://github.com/Sicoob-Cooperativa
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
https://safedep.io/oob-moika-tech-dependency-confusion-campaign/
https://safedep.io/malicious-npm-terminal3airport-proxy-adware-spam/
https://safedep.io/malicious-forge-jsxy-npm-rat-evolution/
https://www.sonatype.com/blog/inside-a-176-package-npm-campaign-built-to-beat-your-internal-dependencies
https://www.sonatype.com/resources/research/beyond-typosquatting-attacks
https://www.bluevoyant.com/blog/how-replicating-marauder-rewired-the-supply-chain-playbook

Related CVE's:

Related threat actors:

IOC's:

Sicoob.Sdk versions 2.0.0-2.0.4, oob.moika[.]tech/report, a39155771@gmail.com, vpmdhaj npm packages, hardcoded Sentry endpoints

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page