Researchers uncovered a malicious NuGet package stealing banking certificates and credentials linked to Brazil’s Sicoob system.
Cybersecurity researchers have uncovered a malicious NuGet package impersonating a legitimate software development kit for Sicoob, one of Brazil’s largest cooperative financial systems, in an apparent supply chain attack targeting banking credentials.
According to researchers at Socket, versions 2.0.0 through 2.0.4 of the package named “Sicoob.Sdk” were designed to steal sensitive information including client IDs, PFX passwords, and digital banking certificates used by businesses to authenticate with Sicoob banking APIs.
Investigators said the malicious package activated when developers initialized the software client using banking credentials and certificate files. The malware then reportedly read PFX certificate files from local systems, encoded the contents, and transmitted the data to attacker-controlled infrastructure through a hardcoded Sentry endpoint.
Researchers warned that the stolen authentication material could allow threat actors to impersonate legitimate Sicoob banking integrations, potentially enabling fraudulent payment activity, unauthorized access to financial systems, and abuse of Brazil’s Pix instant payment infrastructure.
The package also allegedly captured Boleto API responses, exposing sensitive transaction details such as payment amounts, due dates, identifiers, and payer information. Boleto is a widely used payment system in Brazil for both online and offline transactions.
Security researchers discovered that the GitHub repository linked to the package appeared clean and legitimate, while the malicious functionality existed only within the NuGet package uploaded to the registry. Investigators described the tactic as an attempt to create a false sense of legitimacy for developers reviewing the project source code.
The malicious package was downloaded nearly 500 times before being blocked and removed from NuGet following responsible disclosure. Researchers also identified 11 additional packages connected to the same publisher account, which collectively accumulated roughly 6,000 downloads.
Socket further revealed that Google Search AI Mode surfaced the malicious package as a legitimate library recommendation, potentially increasing exposure to developers searching for Sicoob API integration tools.
The findings come amid a broader surge in software supply chain attacks targeting open-source ecosystems including npm and NuGet. Researchers separately identified multiple malicious npm packages designed to steal AWS credentials, HashiCorp Vault tokens, CI/CD secrets, and other cloud authentication data from developer environments.
Security experts advised organizations that installed the package to immediately remove it, rotate exposed certificates and passwords, disable compromised client IDs, and review authentication logs for suspicious activity.
Related articles :
- “OPERATION BRIGHTSIDE” – Multi-Agency Warrant Sweep Columbia, MO
- Operation Venetic: Three Sentenced to 75 Years in Jail
- Operation Sweet Silence Defendant Convicted at Trial
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
