Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
NuGet Package Compromises Sicoob Credentials

NuGet Package Compromises Sicoob Credentials

Posted on May 29, 2026 By CWS

Cybersecurity experts have identified a harmful NuGet package posing as a C# software development kit for Sicoob, Brazil’s prominent cooperative financial institution. This package is designed to extract client IDs and PFX certificates, compromising sensitive banking information.

Details on the Malicious Package

Security firm Socket has disclosed that the package, named “Sicoob.Sdk,” in versions 2.0.0 to 2.0.4, is engineered to steal confidential data. This includes PFX certificates used by businesses to authenticate themselves with Sicoob’s banking network for operations like instant payments and dynamic Pix QR code generation. The package was reportedly downloaded nearly 500 times before being blocked.

According to researcher Kirill Boychenko, the package encodes the PFX file’s contents in Base64 and transmits it, along with the client’s ID and PFX password, to a predetermined Sentry endpoint. Additionally, it captures raw Boleto API responses, potentially revealing sensitive transaction data and identifiers.

Implications for Users and Developers

The exfiltrated information could be exploited to impersonate Sicoob’s API integrations, posing significant risks. Following these revelations, NuGet has blocked the package, and the profile “sicoob” has been linked to 11 other packages with a collective download count of approximately 6,000.

Google’s AI Mode mistakenly identified this malicious package as a legitimate library, thereby increasing its exposure. Furthermore, discrepancies between the GitHub repository and the distributed NuGet artifact suggest that the repository was designed to appear legitimate while the NuGet package contained the harmful code.

Recommendations and Broader Context

Organizations using “Sicoob.Sdk” should promptly remove the package, treat PFX materials as compromised, and rotate passwords and client IDs. It’s crucial to audit API logs for unusual activity to mitigate potential damage.

This incident coincides with the discovery of 14 malicious npm packages targeting cloud secrets, part of a broader trend in supply chain attacks. Threat actors such as “vpmdhaj” have used these packages to harvest AWS credentials, npm tokens, and more, illustrating an evolution from basic typosquatting techniques to sophisticated brandjacking strategies.

Security experts warn that these developments indicate a shift toward more convincing and legitimate-looking package names, enhancing the risk of inadvertent installation and subsequent data breaches. The campaign by TeamPCP, also known as Replicating Marauder, exemplifies the dangers of compromised software dependency chains, highlighting the need for vigilant security practices in software development.

The Hacker News Tags:API, API integration, banking security, Boleto, cloud secrets, Credentials, Cybersecurity, data exfiltration, malicious package, NuGet, PFX certificates, security breach, Sicoob, SicoobClient, software development

Post navigation

Previous Post: Google Resolves 151 Chrome Vulnerabilities, 22 Critical
Next Post: Google Chrome 148 Update Fixes Critical Bugs

Related Posts

EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware The Hacker News
Apple Fixes Eavesdropping Flaw in Beats Studio Buds Apple Fixes Eavesdropping Flaw in Beats Studio Buds The Hacker News
Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials The Hacker News
Why Non-Human Identity Management is the Next Cybersecurity Frontier Why Non-Human Identity Management is the Next Cybersecurity Frontier The Hacker News
Microsoft’s AI MDASH System Detects 16 Windows Vulnerabilities Microsoft’s AI MDASH System Detects 16 Windows Vulnerabilities The Hacker News
DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft DOM-Based Extension Clickjacking Exposes Popular Password Managers to Credential and Data Theft The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines
  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Turkish Banks Hit by Extensive Phishing and Scam Ads
  • Pentera Enhances AI Security with Validation Engines
  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark