Security experts have identified a fake NuGet package disguised as a C# development toolkit for Sicoob, one of Brazil’s biggest cooperative banking systems. The rogue package secretly steals client IDs and PFX certificates from users.
As reported by Socket, versions 2.0.0 through 2.0.4 of the package named “Sicoob.Sdk” include hidden code designed to extract sensitive data — specifically PFX certificates used by businesses to authenticate with the Sicoob banking network for automated operations such as instant payment processing and generating dynamic Pix QR codes. The package has been downloaded close to 500 times.
“When a developer creates a SicoobClient instance using a client ID, a PFX file path, and a PFX password, the package reads the certificate file from the local system, converts it to Base64 format, and transmits the client ID, PFX password, and certificate data to a predetermined third-party Sentry endpoint,” explained security analyst Kirill Boychenko.
The package also intercepts raw responses from the Boleto API through a separate Sentry entry point. Boleto is a widely used cash-based payment system in Brazil for both online and in-store transactions. This means the package could potentially capture private transaction information including payment statuses, amounts, due dates, reference numbers, and details about payers or recipients.
According to Socket, the stolen information poses significant risks because attackers could use it to impersonate the victim’s Sicoob banking API integration. After responsible disclosure to the relevant parties, NuGet took down the package. The account responsible for the upload, identified as “sicoob,” has also published 11 additional NuGet packages that together have accumulated roughly 6,000 downloads.
The application security firm also noted that Google Search AI Mode highlighted the malicious package as a genuine C# library for Sicoob banking API integration, thereby increasing its visibility to unsuspecting developers actively searching for such a tool.
Another critical detail about this attack is that the code in the linked GitHub repository does not match what is actually distributed through NuGet. Investigators believe the GitHub repository was set up purely to give the operation an appearance of credibility by keeping it clean, while the malicious data-stealing code is injected only into the version uploaded to the package registry.
Furthermore, the theft of Sicoob API authentication credentials could also create downstream risks for end users, potentially leading to the exposure of financial records or unauthorized payment activity.
Organizations that have installed “Sicoob.Sdk” are strongly advised to remove the package immediately, assume all PFX material has been compromised, replace the affected certificates, rotate PFX passwords, and update or disable any exposed clientIDs. They are also recommended to review Sicoob authentication and API access logs for any unusual or unauthorized activity.
This discovery comes alongside the identification of 14 malicious npm packages that imitate popular OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. These counterfeit packages harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment using a custom-built credential stealer that is triggered via a preinstall hook.
According to the Microsoft Defender Security Research Team, all 14 packages were published by a single attacker using the alias “vpmdhaj” (“a39155771@gmail.com”) on May 28, 2026. The package names are listed below –
- @vpmdhaj/devops-tools
- @vpmdhaj/elastic-helper
- @vpmdhaj/opensearch-setup
- @vpmdhaj/search-setup
- app-config-utility
- elastic-opensearch-helper
- env-config-manager
- opensearch-config-utility
- opensearch-security-scanner
- opensearch-setup
- opensearch-setup-tool
- search-cluster-setup
- search-engine-setup
- vpmdhaj-opensearch-setup
These findings are part of an ongoing wave of supply chain attacks that have hit the npm ecosystem in recent days –
- 164 malicious npm packages spread across five scoped namespaces carrying a postinstall payload that fetches a second-stage JavaScript file, launches it as a separate process, and transmits the victim’s environment variables (“process.env”) to “oob.moika[.]tech/report.”
- 141 malicious npm packages published between May 7 and 27, 2026, that misuse npm as a free static hosting platform for an ad-funded web proxy aimed at students, displaying popunder advertisements to users who access these pages via search engine results or shared links.
- A malicious npm package named “forge-jsxy” equipped with keylogging, clipboard surveillance, .env file scanning, shell history exfiltration, host inventory collection, remote filesystem access, screenshot capture, and cryptocurrency wallet scanning capabilities. “Forge-jsxy” is believed to be a follow-up to the “forge-jsx” campaign that was uncovered late last month.
- 176 malicious npm packages that exploit dependency confusion tactics by using an inflated version number (“99.99.99”) to deliver a postinstall script capable of fingerprinting the host and downloading a platform-specific JavaScript payload, which then performs further reconnaissance, steals credentials and other valuable developer secrets, and retrieves and executes a second-stage binary.
In a recently published report, Sonatype noted that threat actors have moved well beyond basic typosquatting methods. Instead of relying on simple misspellings, they are now crafting package names that seem authentic within real developer workflows to steal information and deploy malicious code. This effectively transforms what appears to be an ordinary package installation into a dangerous attack vector for reconnaissance, credential theft, and further exploitation.
Common brandjacking strategies include adding prefixes or suffixes, exploiting dependency confusion, mimicking version numbers, embedding recognizable terms, altering scopes or namespaces, and choosing names that mimic the purpose of a legitimate package.
“The term ‘typosquatting’ is no longer broad enough to describe what this analysis reveals,” stated the supply chain security company. “The larger trend is one of manufactured authenticity: adversaries are engineering package names to appear convincing, useful, and routine within today’s software ecosystems.”
These events have also taken place amid a broader series of software supply chain compromises attributed to TeamPCP (also known as Replicating Marauder and UNC6780). This group has emerged as a significant threat by poisoning widely used developer tools across npm, PyPI, Docker Hub, and Packagist in a self-propagating, worm-like manner.
“Replicating Marauder wasn’t simply injecting malicious code into packages. It was leveraging automation, inherited trust, and standard CI/CD workflows to drive compromise much further downstream,” said BlueVoyant researcher Michael Warren.
“This marked the stage where the campaign most clearly showed that a single compromised dependency or container image could trigger a breach in a completely unrelated organization’s release pipeline. The tactical evolution turned isolated software poisoning into a repeatable method for spreading from one victim to the next.”
