Malicious Sicoob NuGet Package Exfiltrates Banking Credentials and Cloud Certificates
What Happened — Researchers identified a malicious NuGet package, Sicoob.Sdk versions 2.0.0‑2.0.4, that pretends to be an official C# SDK for Brazil’s Sicoob cooperative banking system. The package silently harvests client IDs and PFX certificates, sending them to attacker‑controlled servers.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used .NET library can expose sensitive banking and cloud‑secret credentials across multiple downstream organizations.
- Credential theft enables lateral movement, unauthorized cloud access, and potential financial fraud.
- The attack demonstrates the need for rigorous third‑party package vetting and runtime monitoring.
Who Is Affected — Financial services (banks, credit unions, fintech), SaaS providers that integrate the Sicoob SDK, and any enterprise using .NET development pipelines that pull packages from public NuGet feeds.
Recommended Actions —
- Immediately audit all codebases for the presence of
Sicoob.Sdk2.0.0‑2.0.4 and remove or replace it. - Rotate any client IDs, PFX certificates, and associated secrets that may have been exposed.
- Enforce strict allow‑list policies for package repositories and enable SBOM verification.
- Deploy runtime monitoring to detect anomalous outbound traffic from development environments.
Technical Notes — The malicious code embeds a hidden HTTP client that captures client_id values and extracts PFX files from the host’s file system, then exfiltrates them via encrypted POST requests. No CVE is associated; the threat vector is a compromised third‑party dependency. Source: The Hacker News