Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets
What’s new: A malicious NuGet package named “Sicoob.Sdk” (versions 2.0.0 to 2.0.4) has been discovered, designed to steal banking credentials, including client IDs and PFX certificates, from developers using Sicoob’s banking APIs. The package has been downloaded nearly 500 times and exfiltrates sensitive information to a hardcoded third-party endpoint. Following responsible disclosure, the package has been blocked by NuGet.
Who’s affected
Developers and organizations that have installed the “Sicoob.Sdk” package, particularly those integrating with Sicoob’s banking services, are at risk. The compromised PFX certificates and client IDs could lead to unauthorized access to banking operations.
What to do
- Immediately remove the “Sicoob.Sdk” package from your projects.
- Treat any exposed PFX material as compromised and replace the certificates.
- Rotate PFX passwords and change or disable affected client IDs.
- Audit Sicoob authentication and API logs for unusual activity.
