Malicious NuGet Package Targets Brazilian Banking Giant Sicoob in Multi-Pronged Supply Chain Attack
A malicious NuGet package impersonating a C# SDK for Brazil's Sicoob financial system steals client IDs and PFX certificates, while a parallel npm campaign deploys 14 typosquatted packages to harvest cloud secrets.
Cybersecurity researchers at Socket have uncovered a malicious NuGet package that masquerades as a legitimate C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems. The package, named 'Sicoob.Sdk' and published in versions 2.0.0 through 2.0.4, is designed to siphon client IDs and PFX certificates used to authenticate businesses with the Sicoob banking network for automating operations like processing instant payments and generating dynamic Pix QR codes. According to Socket, the package has been downloaded nearly 500 times.
When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the malicious package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint, security researcher Kirill Boychenko explained. Additionally, the package captures raw Boleto API responses via a separate Sentry path, potentially exposing sensitive transaction details, payment status, amounts, due dates, identifiers, and payer or payee data. Boleto is a popular cash payment method in Brazil for online and offline purchases.
The stolen data could enable threat actors to impersonate the victim's Sicoob banking API integration, opening the door to severe financial risks. Following responsible disclosure, the package has been blocked by NuGet. The profile behind the package, named 'sicoob,' has also listed 11 other NuGet packages that have collectively racked up about 6,000 downloads. Socket also noted that the package was surfaced by Google Search AI Mode as a legitimate C# library, amplifying its reach to unsuspecting developers.
A critical aspect of the attack is the source-to-package mismatch between the linked GitHub repository and the artifact distributed via NuGet. It is suspected that the GitHub repository is kept clean to lend a veneer of legitimacy, while the malicious data-stealing functionality is introduced only in the package uploaded to the registry. Organizations that have installed 'Sicoob.Sdk' are recommended to immediately remove the package, treat PFX material as compromised, replace exposed PFX certificates, rotate PFX passwords, and change or disable affected client IDs where applicable.
In a parallel development, the Microsoft Defender Security Research Team has identified 14 malicious npm packages that typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. Published by a single threat actor named 'vpmdhaj' on May 28, 2026, these packages deploy a purpose-built credential harvester compiled with Bun to target AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment via a preinstall hook.
The npm packages include names such as '@vpmdhaj/devops-tools', '@vpmdhaj/elastic-helper', 'app-config-utility', and 'opensearch-config-utility', among others. This campaign is part of a staggering spate of supply chain attacks targeting the npm ecosystem over the past few days, including 164 malicious packages across five scoped namespaces that exfiltrate environment variables, 141 packages abusing npm as free static hosting for ad-monetized web proxies, and the 'forge-jsxy' package capable of keylogging, clipboard monitoring, and cryptocurrency wallet scanning.
Sonatype, in a newly published report, noted that threat actors have outgrown classic typosquatting techniques, moving beyond obvious misspellings to using names that appear convincing in legitimate developer workflows. Popular brandjacking techniques include prefix or suffix addition, dependency confusion, version mimicry, embedded target terms, altered scopes or namespaces, and names that resemble the function of a legitimate package. The broader pattern, Sonatype said, is manufactured legitimacy: attackers designing package names to look trustworthy at a glance.
Microsoft's full technical breakdown of the campaign, published May 28, 2026, reveals that the 14 typosquatted npm packages are published by a single actor operating as 'vpmdhaj' (email a39155771@gmail.com) and ship a roughly 195 KB Bun-compiled binary that steals not only AWS and Vault secrets but also GitHub Actions tokens and npm publish tokens. Critically, the newer stager variant downloads the legitimate Bun runtime—avoiding suspicious outbound C2 connections—while the second-stage binary scans multiple AWS regions, queries EC2 metadata, and checks for GitHub Actions pipelines. Stolen npm publish tokens could enable downstream supply-chain attacks, and a full set of IoCs—including package names, the maintainer alias, and the C2 domain aab.sports—has been provided for defenders.
New analysis from Socket reveals that the malicious Sicoob.Sdk package recorded 484 downloads across versions 2.0.0–2.0.4 before takedown, and that the publisher account hosted multiple Sicoob-branded packages, all now considered untrusted. The exfiltration leveraged a hardcoded Sentry telemetry endpoint to blend stolen PFX certificates, plaintext passwords, and client IDs with legitimate application traffic, and in some cases captured boleto payment transaction data. The public GitHub repository appeared benign while the compiled binary contained the malicious logic, confirming a deliberate supply-chain attack where a clean codebase served as a façade for a tampered NuGet binary.