Full Report
Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information, including PFX certificates that are used to
Analysis Summary
# Tool/Technique: Sicoob.Sdk (Malicious NuGet Package)
## Overview
Sicoob.Sdk is a malicious NuGet package (versions 2.0.0 through 2.0.4) designed to impersonate a legitimate C# software development kit for Sicoob, a major Brazilian financial cooperative. Its primary purpose is to conduct supply chain attacks against developers and organizations to steal banking API credentials, PFX certificates, and transaction data.
## Technical Details
- **Type:** Malware | Supply Chain Attack
- **Platform:** .NET / Windows (C# development environments)
- **Capabilities:** Credential theft, data exfiltration, API response interception.
- **First Seen:** May 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (Exfiltration via Sentry API)
## Functionality
### Core Capabilities
- **PFX Certificate Theft:** When a developer instantiates the `SicoobClient` class, the package identifies the path to the PFX (Personal Information Exchange) certificate file.
- **Certificate Exfiltration:** The package reads the PFX file from the disk, encodes the contents in Base64, and exfiltrates the data, the client ID, and the PFX password to a hardcoded endpoint.
- **Boleto Interception:** The package hooks into the Sicoob Boleto API to capture raw responses, potentially exposing payment identifiers, amounts, and payer/payee details.
### Advanced Features
- **Source-to-Package Mismatch:** The attackers maintain a "clean" GitHub repository to appear legitimate, while the malicious logic is only injected into the compiled DLL uploaded to the NuGet registry.
- **Infrastructure Abuse:** Uses legitimate Sentry (error tracking) endpoints as a proxy or C2 destination to blend in with normal application telemetry traffic.
- **AI Poisoning:** The package was successfully indexed by Google Search AI Mode, leading the AI to recommend the malicious library as a legitimate tool to developers.
## Indicators of Compromise
- **File Names:** `Sicoob.Sdk` (Versions 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4)
- **NuGet Author:** `sicoob`
- **Network Indicators:**
- Hardcoded Sentry endpoints (Defanged: `sentry[.]io/api/[REDACTED]`)
- **Associated Identity:** `vpmdhaj` / `a39155771[@]gmail[.]com` (Related to concurrent NPM campaigns)
## Associated Threat Actors
- **Unknown:** Currently attributed to the individual or group using the alias **"vpmdhaj"** in parallel supply chain campaigns.
## Detection Methods
- **Signature-based detection:** Scan local NuGet caches (`%USERPROFILE%\.nuget\packages`) for the specific versions of Sicoob.Sdk mentioned.
- **Behavioral detection:** Monitor for unauthorized processes reading files with `.pfx` extensions or unexpected outbound HTTPS traffic from development environments to Sentry endpoints not owned by the organization.
- **Code Audit:** Inspecting compiled assemblies for Base64 encoding routines triggered during class instantiation.
## Mitigation Strategies
- **Immediate Response:** Remove `Sicoob.Sdk` from projects and local caches.
- **Credential Rotation:** Treat all PFX certificates used with this package as compromised. Revoke certificates, rotate C# PFX passwords, and cycle Sicoob Client IDs.
- **Supply Chain Security:** Implement NuGet package signing verification and use a private repository (like Artifactory or ProGet) to vet packages before they are available to developers.
- **Lock Files:** Use package-lock files to ensure that unexpected version updates (typosquatting or brandjacking) do not occur automatically.
## Related Tools/Techniques
- **Typosquatting:** Similar to the "@vpmdhaj" npm campaign targeting AWS and Cloud secrets.
- **Dependency Confusion:** Exploiting the way package managers prioritize public registries over internal ones.
- **Brandjacking:** Mimicking a trusted financial institution (Sicoob) to gain trust.