Back

Malicious NuGet Package Targets Sicoob SDK, Exfiltrates Banking Credentials

Severity: High (Score: 69.0)

Sources: Thehackernews, Cybersecuritynews

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: malicious, nuget, sicoob, package, banking, credentials, discovered

Severity indicators: rat, banking, credentials, passwords

Summary

A malicious NuGet package named 'Sicoob.Sdk' has been identified, which impersonates an official software development kit for Sicoob, a major Brazilian cooperative financial system. This package, affecting versions 2.0.0 to 2.0.4, is designed to exfiltrate sensitive banking credentials, including client IDs and PFX certificates. The attack specifically targets developers integrating with Sicoob's banking APIs, raising significant concerns about software supply chain security in the financial sector. Cybersecurity researchers from Socket confirmed the malicious functionality of the package, which has the potential to compromise numerous banking accounts. The discovery was made public on May 29, 2026, prompting immediate warnings for developers to avoid using the compromised package. The full scope of the impact remains unclear, but the incident highlights vulnerabilities in software supply chains. Key Points: • A malicious NuGet package masquerading as Sicoob SDK has been discovered. • The package exfiltrates sensitive banking credentials, including client IDs and PFX certificates. • Versions 2.0.0 to 2.0.4 of 'Sicoob.Sdk' are confirmed to be compromised.

Detailed Analysis

**Impact** Developers integrating with Brazil’s Sicoob banking APIs are affected, specifically those using the compromised NuGet package versions 2.0.0 through 2.0.4. The malicious package exfiltrates sensitive banking credentials, including client IDs and PFX certificates, risking unauthorized access to cooperative financial accounts within Brazil’s Sicoob system. The scope is limited to the financial sector in Brazil but involves potentially critical credential theft impacting client security and operational trust. **Technical Details** The attack vector is a malicious NuGet package named “Sicoob.Sdk” distributed via the official package repository, targeting C# developers. The package contains code that silently harvests and exfiltrates authentication data such as banking passwords, client IDs, and PFX certificates used for secure communications. No CVEs or specific infrastructure details are provided. The compromise occurs during the software supply chain phase, specifically the development and build stage. **Recommended Response** Immediately audit and remove versions 2.0.0 through 2.0.4 of the “Sicoob.Sdk” package from development environments and replace them with verified clean versions or official SDKs. Monitor network traffic for unusual outbound connections that could indicate credential exfiltration. Implement strict package source validation and consider using package signing and integrity checks to prevent supply chain compromises. No patch or CVE mitigation details are available; focus on detection and containment.

Source articles (2)

  • Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets — Thehackernews · 2026-05-29
    Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon clien…
  • Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords — Cybersecuritynews · 2026-05-29
    A newly discovered malicious NuGet package masquerading as an official Sicoob software development kit (SDK) has been caught exfiltrating highly sensitive banking credentials, raising serious concerns…

Timeline

  • 2026-05-29 — Malicious NuGet package identified: Cybersecurity researchers found a NuGet package impersonating Sicoob SDK that exfiltrates banking credentials.
  • 2026-05-29 — Warnings issued to developers: Developers were advised to avoid using the compromised 'Sicoob.Sdk' package to protect sensitive information.

Related entities

  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Sicoob (Company)
  • Brazil (Country)
  • Financial (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • Npm (Tool)
  • NuGet (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed