NuGet and Sicoob: Malicious NuGet Package Poses as Sicoob SDK to Steal Passwords

Sophisticated Supply Chain Attack Targets Brazilian Banking SDK via Malicious NuGet Package

A supply chain attack impersonating the official C# SDK for Sicoob, one of Brazil’s largest cooperative banking networks, was uncovered by researchers at Socket. The malicious NuGet package, Sicoob.Sdk (versions 2.0.0–2.0.4), contained hidden credential exfiltration logic designed to steal sensitive banking credentials and payment data.

Key Details of the Attack

• Timeline: The fraudulent package was published on May 5, 2026, and rapidly updated to version 2.0.4 by May 6, 2026, before being blocked following Socket’s abuse report.
• Target: Sicoob serves 9 million members across 328 cooperatives and 5,219 service points in Brazil, making it a high-value target for financially motivated threat actors.
• Deception Tactics: The package mimicked a legitimate .NET 8 SDK for Sicoob’s APIs, complete with a GitHub organization (Sicoob-Cooperativa) and clean-looking source code. However, the compiled DLL contained malicious logic absent from the public repository.
• Exfiltration Mechanism: When developers initialized SicoobClient with a client ID, PFX file path, and password a standard workflow for mutual TLS banking integrations the DLL secretly base64-encoded the PFX certificate and transmitted it, along with the plaintext password and client ID, to a hardcoded Sentry telemetry endpoint (o4511335034847232.ingest.de.sentry.io).
• Secondary Data Theft: The attack also captured raw boleto API responses, exposing transaction details, payer/payee information, due dates, and payment status.
• Trigger Condition: The exfiltration only activated when isSandbox was set to false, meaning it targeted production environments using live credentials.

Attacker Infrastructure & Exposure

• The NuGet publisher account (sicoob) listed 12 Sicoob-branded packages, accumulating 484 total downloads.
• The fraudulent GitHub organization (Sicoob-Cooperativa), created on May 4, 2026, had no verification, public members, or affiliation with the real Sicoob, whose official GitHub links to sicoob.com.br.
• Google’s AI search briefly promoted Sicoob.Sdk as the recommended .NET integration path, increasing developer exposure.

Broader Context

This incident follows a February 2026 discovery of four malicious NuGet packages (NCryptYo, DOMOAuth2_, IRAOAuth2.0, SimpleWriter_), which exfiltrated ASP.NET Identity data and installed persistent C2 backdoors, totaling 4,500+ downloads. These campaigns highlight NuGet’s growing appeal to attackers using impersonation, typosquatting, and source-façade techniques to bypass developer trust.

Indicators of Compromise (IOCs)

• Malicious Package: Sicoob.Sdk (versions 2.0.0–2.0.4)
• NuGet Publisher: sicoob
• Exfiltration Host: o4511335034847232.ingest.de.sentry.io
• Fraudulent GitHub Org: github.com/Sicoob-Cooperativa
• Fraudulent Contributor: github.com/joaobcdev

  Source: https://cyberpress.org/malicious-nuget-package-sicoob-sdk/

  Socket cybersecurity rating report: https://www.rankiteo.com/company/socketinc

  Sicoob cybersecurity rating report: https://www.rankiteo.com/company/sicooboficial

"id": "SOCSIC1780057768",
"linkid": "socketinc, sicooboficial",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'Potentially all users of the '
                                              'malicious SDK in production '
                                              'environments',
                        'industry': 'Banking/Financial Services',
                        'location': 'Brazil',
                        'name': 'Sicoob',
                        'size': '9 million members, 328 cooperatives, 5,219 '
                                'service points',
                        'type': 'Cooperative Banking Network'}],
 'attack_vector': 'Malicious NuGet Package',
 'data_breach': {'data_encryption': 'Base64-encoded PFX certificates before '
                                    'exfiltration',
                 'data_exfiltration': 'Yes (to Sentry telemetry endpoint)',
                 'file_types_exposed': 'PFX certificates, API responses '
                                       '(JSON/XML)',
                 'personally_identifiable_information': 'Yes (banking '
                                                        'credentials, '
                                                        'payer/payee '
                                                        'information)',
                 'sensitivity_of_data': 'High (financial and personally '
                                        'identifiable information)',
                 'type_of_data_compromised': 'Banking credentials, PFX '
                                             'certificates, plaintext '
                                             'passwords, client IDs, boleto '
                                             'API responses'},
 'date_detected': '2026-05-06',
 'description': 'A supply chain attack impersonating the official C# SDK for '
                'Sicoob, one of Brazil’s largest cooperative banking networks, '
                'was uncovered by researchers at Socket. The malicious NuGet '
                'package, Sicoob.Sdk (versions 2.0.0–2.0.4), contained hidden '
                'credential exfiltration logic designed to steal sensitive '
                'banking credentials and payment data.',
 'impact': {'brand_reputation_impact': 'High (impersonation of a major banking '
                                       'network)',
            'data_compromised': 'Banking credentials, payment data, PFX '
                                'certificates, plaintext passwords, client '
                                'IDs, boleto API responses (transaction '
                                'details, payer/payee information, due dates, '
                                'payment status)',
            'identity_theft_risk': 'High (exposure of personally identifiable '
                                   'banking credentials)',
            'operational_impact': 'Potential unauthorized access to banking '
                                  'systems, data exfiltration',
            'payment_information_risk': 'High (exposure of boleto API '
                                        'responses and payment data)',
            'systems_affected': 'Production environments using Sicoob.Sdk '
                                '(versions 2.0.0–2.0.4)'},
 'initial_access_broker': {'entry_point': 'Malicious NuGet package '
                                          '(Sicoob.Sdk)',
                           'high_value_targets': 'Brazilian banking networks, '
                                                 'developers integrating '
                                                 'Sicoob APIs'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Lack of verification for NuGet '
                                           'packages, impersonation of '
                                           'legitimate SDKs, hidden malicious '
                                           'logic in compiled DLLs'},
 'references': [{'source': 'Socket Research'},
                {'source': 'GitHub (Sicoob-Cooperativa)',
                 'url': 'https://github.com/Sicoob-Cooperativa'},
                {'source': 'NuGet (Sicoob.Sdk)'}],
 'response': {'containment_measures': 'Malicious package blocked following '
                                      'abuse report',
              'third_party_assistance': 'Socket (researchers who uncovered the '
                                        'attack)'},
 'title': 'Sophisticated Supply Chain Attack Targets Brazilian Banking SDK via '
          'Malicious NuGet Package',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Impersonation of legitimate SDK, hidden '
                            'credential exfiltration logic'}