HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malicious Sicoob NuGet Package Exfiltrates Banking Credentials and Cloud Certificates

A malicious NuGet package masquerading as Sicoob's .NET SDK (versions 2.0.0‑2.0.4) was found stealing client IDs and PFX certificates, exposing financial institutions and any downstream developers to credential compromise.

LiveThreat™ Intelligence · 📅 May 29, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
thehackernews.com

Malicious Sicoob NuGet Package Exfiltrates Banking Credentials and Cloud Certificates

What Happened — Researchers identified a malicious NuGet package, Sicoob.Sdk versions 2.0.0‑2.0.4, that pretends to be an official C# SDK for Brazil’s Sicoob cooperative banking system. The package silently harvests client IDs and PFX certificates, sending them to attacker‑controlled servers.

Why It Matters for TPRM

  • Supply‑chain compromise of a widely‑used .NET library can expose sensitive banking and cloud‑secret credentials across multiple downstream organizations.
  • Credential theft enables lateral movement, unauthorized cloud access, and potential financial fraud.
  • The attack demonstrates the need for rigorous third‑party package vetting and runtime monitoring.

Who Is Affected — Financial services (banks, credit unions, fintech), SaaS providers that integrate the Sicoob SDK, and any enterprise using .NET development pipelines that pull packages from public NuGet feeds.

Recommended Actions

  • Immediately audit all codebases for the presence of Sicoob.Sdk 2.0.0‑2.0.4 and remove or replace it.
  • Rotate any client IDs, PFX certificates, and associated secrets that may have been exposed.
  • Enforce strict allow‑list policies for package repositories and enable SBOM verification.
  • Deploy runtime monitoring to detect anomalous outbound traffic from development environments.

Technical Notes — The malicious code embeds a hidden HTTP client that captures client_id values and extracts PFX files from the host’s file system, then exfiltrates them via encrypted POST requests. No CVE is associated; the threat vector is a compromised third‑party dependency. Source: The Hacker News

📰 Original Source
https://thehackernews.com/2026/05/malicious-sicoob-nuget-steals-banking.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →