Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
NuGet Package Compromises Sicoob Credentials

NuGet Package Compromises Sicoob Credentials

Posted on May 29, 2026 By CWS

Cybersecurity experts have identified a harmful NuGet package posing as a C# software development kit for Sicoob, Brazil’s prominent cooperative financial institution. This package is designed to extract client IDs and PFX certificates, compromising sensitive banking information.

Details on the Malicious Package

Security firm Socket has disclosed that the package, named “Sicoob.Sdk,” in versions 2.0.0 to 2.0.4, is engineered to steal confidential data. This includes PFX certificates used by businesses to authenticate themselves with Sicoob’s banking network for operations like instant payments and dynamic Pix QR code generation. The package was reportedly downloaded nearly 500 times before being blocked.

According to researcher Kirill Boychenko, the package encodes the PFX file’s contents in Base64 and transmits it, along with the client’s ID and PFX password, to a predetermined Sentry endpoint. Additionally, it captures raw Boleto API responses, potentially revealing sensitive transaction data and identifiers.

Implications for Users and Developers

The exfiltrated information could be exploited to impersonate Sicoob’s API integrations, posing significant risks. Following these revelations, NuGet has blocked the package, and the profile “sicoob” has been linked to 11 other packages with a collective download count of approximately 6,000.

Google’s AI Mode mistakenly identified this malicious package as a legitimate library, thereby increasing its exposure. Furthermore, discrepancies between the GitHub repository and the distributed NuGet artifact suggest that the repository was designed to appear legitimate while the NuGet package contained the harmful code.

Recommendations and Broader Context

Organizations using “Sicoob.Sdk” should promptly remove the package, treat PFX materials as compromised, and rotate passwords and client IDs. It’s crucial to audit API logs for unusual activity to mitigate potential damage.

This incident coincides with the discovery of 14 malicious npm packages targeting cloud secrets, part of a broader trend in supply chain attacks. Threat actors such as “vpmdhaj” have used these packages to harvest AWS credentials, npm tokens, and more, illustrating an evolution from basic typosquatting techniques to sophisticated brandjacking strategies.

Security experts warn that these developments indicate a shift toward more convincing and legitimate-looking package names, enhancing the risk of inadvertent installation and subsequent data breaches. The campaign by TeamPCP, also known as Replicating Marauder, exemplifies the dangers of compromised software dependency chains, highlighting the need for vigilant security practices in software development.

The Hacker News Tags:API, API integration, banking security, Boleto, cloud secrets, Credentials, Cybersecurity, data exfiltration, malicious package, NuGet, PFX certificates, security breach, Sicoob, SicoobClient, software development

Post navigation

Previous Post: Google Resolves 151 Chrome Vulnerabilities, 22 Critical
Next Post: Google Chrome 148 Update Fixes Critical Bugs

Related Posts

Critical Security Patches Released by Ivanti, Fortinet, and SAP Critical Security Patches Released by Ivanti, Fortinet, and SAP The Hacker News
⚡ Weekly Recap — SharePoint Breach, Spyware, IoT Hijacks, DPRK Fraud, Crypto Drains and More ⚡ Weekly Recap — SharePoint Breach, Spyware, IoT Hijacks, DPRK Fraud, Crypto Drains and More The Hacker News
Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks The Hacker News
Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; M Stolen in Crypto Heist Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist The Hacker News
Npm Packages Exploit Crypto Keys and CI Secrets Npm Packages Exploit Crypto Keys and CI Secrets The Hacker News
MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Enhancing SOC Efficiency: Cut Alert Overload & MTTR
  • Crypto Wallet Extensions’ Privacy Risks Uncovered
  • CISA Alerts on Cisco IOS Vulnerability Exploitation
  • Critical Fixes for VMware Avi Load Balancer Vulnerabilities
  • RabbitMQ Vulnerabilities Expose OAuth Secrets, Threaten Security

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark