A malicious package named Sicoob.Sdk (versions 2.0.0–2.0.4) has been discovered in the NuGet registry, masquerading as the official C# SDK for integrating with Sicoob — one of Brazil’s largest cooperative financial systems. The package stole client identifiers, passwords, and PFX certificates used for authentication to the banking API, and sent them to a third-party server. According to Socket researchers, the package was downloaded about 500 times. Organizations that installed this package must immediately revoke the compromised certificates and rotate all associated credentials.
Data theft mechanism
According to researcher Kirill Boychenko from Socket, when an instance of the SicoobClient class was created with a client identifier, PFX file path, and password, the package read the PFX file from disk, encoded its contents in Base64, and sent the client identifier, password, and encoded certificate data to a hard-coded external Sentry endpoint. In this context, PFX certificates are a key element of how business systems authenticate within the Sicoob banking network — they enable automated banking operations, including processing instant payments and generating dynamic Pix QR codes.
In addition to certificates, the package reportedly intercepted responses from the Boleto API system — a popular payment method in Brazil — via a separate Sentry path. This could potentially expose transaction details: payment statuses, amounts, due dates, identifiers, as well as payer and recipient data.
Camouflage tactics
The attack used several techniques to create an appearance of legitimacy. The publisher profile on NuGet was registered under the name “sicoob” and, according to researchers, contained 11 additional packages with a total of around 6,000 downloads. The package was linked to a GitHub repository that appeared clean and contained no malicious code — the malicious functionality was introduced only in the artifact uploaded to the NuGet registry. This discrepancy between the source code and the distributed package is a hallmark of a targeted software supply chain attack.
After responsible disclosure, the package was blocked in the NuGet registry.
Wave of attacks on the npm ecosystem
The Sicoob.Sdk incident is part of a large wave of software supply chain attacks. In parallel, multiple campaigns have been observed in the npm ecosystem:
- 14 malicious npm packages, documented by the Microsoft Defender Security Research Team, impersonated OpenSearch and ElasticSearch libraries and DevOps tools. The packages stole AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets via a preinstall hook mechanism. All packages were published on May 28, 2026, by the account “vpmdhaj” ([email protected]).
- 164 malicious npm packages across five namespaces that sent victims’ environment variables to the domain
oob.moika[.]tech/report. - 176 malicious npm packages that used a dependency confusion technique with the version number “99.99.99” to replace organizations’ internal dependencies. The packages conducted host reconnaissance, stole developer credentials, and downloaded a second-stage binary.
- The forge-jsxy package with keylogging functionality, clipboard monitoring, .env file scanning, exfiltration of shell command history, remote file system access, screenshot capture, and cryptocurrency wallet scanning.
- 141 malicious npm packages that used npm as free hosting for an advertising web proxy.
Evolution of tactics: from typos to “manufacturing legitimacy”
According to Sonatype’s assessment, attackers have moved beyond classic typosquatting. The term “typosquatting” is now too narrow to describe the tactics being observed. Modern techniques include adding prefixes and suffixes, dependency confusion, version mimicry, use of targeted terms in package names, and switching namespaces. The overall strategy is to create packages that look plausible and fit naturally into developers’ workflows.
Separately, BlueVoyant links a number of recent incidents to the group TeamPCP (also known as Replicating Marauder / UNC6780), which allegedly poisons popular developer tools in npm, PyPI, Docker Hub, and Packagist, using automation and inherited trust in CI/CD pipelines to propagate compromise across organizations. However, this attribution is based on analysis by a single vendor and should be interpreted with caution.
Impact assessment
Compromise of Sicoob PFX certificates creates a critical risk for affected organizations. An attacker in possession of a valid certificate and client identifier can fully impersonate the victim’s banking API integration — initiate payments, generate payment QR codes, and access financial data. Indirectly, this also affects end users: leakage of authentication materials can lead to unauthorized operations involving their funds.
The scale of the threat in the npm ecosystem is significantly broader: in total, over the past few weeks more than 600 malicious packages have been discovered that target theft of cloud credentials, CI/CD secrets, and developer data.
Recommendations
For organizations that used Sicoob.Sdk:
- Immediately remove the package from all projects and build pipelines.
- Treat all PFX certificates used with this package as compromised — revoke and reissue them.
- Rotate PFX file passwords and change or disable affected client identifiers.
- Audit Sicoob authentication logs and API calls for signs of anomalous activity.
- Check whether other packages from the “sicoob” profile are present in project dependencies.
To protect against supply chain attacks in general:
- Implement verification that the source code in the repository matches the distributed artifact in the package registry.
- Use software composition analysis (SCA) tools capable of detecting anomalous package behavior — network calls, file access, and access to environment variables.
- Limit the use of preinstall/postinstall hooks in npm projects via the
ignore-scriptsoption. - Check project dependencies for packages listed in the IOCs:
@vpmdhaj/devops-tools,@vpmdhaj/elastic-helper,@vpmdhaj/opensearch-setup,@vpmdhaj/search-setup,app-config-utility,elastic-opensearch-helper,env-config-manager,opensearch-config-utility,opensearch-security-scanner,opensearch-setup,opensearch-setup-tool,search-cluster-setup,search-engine-setup,vpmdhaj-opensearch-setup,forge-jsxy.
The Sicoob.Sdk case shows that supply chain attacks are expanding beyond npm and are actively targeting the NuGet ecosystem, while attackers are investing in building convincing legitimacy infrastructure — from clean GitHub repositories to plausible publisher names. Organizations working with financial APIs should immediately inventory third-party dependencies and ensure that none of the listed packages are present in their build pipelines.
