Cybersecurity experts have identified a harmful NuGet package posing as a C# software development kit for Sicoob, Brazil’s prominent cooperative financial institution. This package is designed to extract client IDs and PFX certificates, compromising sensitive banking information.
Details on the Malicious Package
Security firm Socket has disclosed that the package, named “Sicoob.Sdk,” in versions 2.0.0 to 2.0.4, is engineered to steal confidential data. This includes PFX certificates used by businesses to authenticate themselves with Sicoob’s banking network for operations like instant payments and dynamic Pix QR code generation. The package was reportedly downloaded nearly 500 times before being blocked.
According to researcher Kirill Boychenko, the package encodes the PFX file’s contents in Base64 and transmits it, along with the client’s ID and PFX password, to a predetermined Sentry endpoint. Additionally, it captures raw Boleto API responses, potentially revealing sensitive transaction data and identifiers.
Implications for Users and Developers
The exfiltrated information could be exploited to impersonate Sicoob’s API integrations, posing significant risks. Following these revelations, NuGet has blocked the package, and the profile “sicoob” has been linked to 11 other packages with a collective download count of approximately 6,000.
Google’s AI Mode mistakenly identified this malicious package as a legitimate library, thereby increasing its exposure. Furthermore, discrepancies between the GitHub repository and the distributed NuGet artifact suggest that the repository was designed to appear legitimate while the NuGet package contained the harmful code.
Recommendations and Broader Context
Organizations using “Sicoob.Sdk” should promptly remove the package, treat PFX materials as compromised, and rotate passwords and client IDs. It’s crucial to audit API logs for unusual activity to mitigate potential damage.
This incident coincides with the discovery of 14 malicious npm packages targeting cloud secrets, part of a broader trend in supply chain attacks. Threat actors such as “vpmdhaj” have used these packages to harvest AWS credentials, npm tokens, and more, illustrating an evolution from basic typosquatting techniques to sophisticated brandjacking strategies.
Security experts warn that these developments indicate a shift toward more convincing and legitimate-looking package names, enhancing the risk of inadvertent installation and subsequent data breaches. The campaign by TeamPCP, also known as Replicating Marauder, exemplifies the dangers of compromised software dependency chains, highlighting the need for vigilant security practices in software development.
