Cybersecurity researchers have uncovered a malicious NuGet package masquerading as a C# software development kit for **Sicoob**, one of Brazil's largest cooperative financial systems. The purpose of this package is to siphon client IDs and PFX certificates. According to **Socket**, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information. This includes PFX certificates used to authenticate businesses with the Sicoob banking network for automating banking operations, such as processing instant payments and generating dynamic Pix QR codes. The package has been downloaded approximately 500 times. "When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party **Sentry** endpoint," security researcher Kirill Boychenko stated. ### Boleto API Data Theft In addition, the package is designed to capture raw Boleto API responses via a separate Sentry path. **Boleto** is a popular cash payment method in Brazil for online and offline purchases. This could expose sensitive transaction details, payment status, amounts, due dates, identifiers, and payer/payee data. Socket warns that the stolen data could lead to severe risks, enabling threat actors to impersonate the victim's Sicoob banking API integration. Following responsible disclosure, **NuGet** has blocked the package. The profile behind the package, named "sicoob," listed 11 other NuGet packages with approximately 6,000 downloads. Notably, **Google Search** AI Mode had surfaced the malicious package as a legitimate C# library for interacting with Sicoob banking APIs, potentially amplifying its reach. ### Source Code Discrepancy Another critical aspect is the source-to-package mismatch between the linked **GitHub** repository and the artifact distributed via NuGet. The GitHub repository is suspected to provide a veneer of legitimacy, while the malicious data-stealing functionality is introduced only in the package uploaded to the registry. The compromise of Sicoob API authentication material can also pose indirect risks to end users, potentially leaking downstream financial data or enabling payment abuse. ### Mitigation Steps Organizations that have installed "Sicoob.Sdk" are advised to immediately remove the package, treat PFX material as compromised, replace exposed PFX certificates, rotate PFX passwords, and change or disable affected client IDs. Auditing Sicoob authentication and API logs for unusual activity is also recommended. ### Broader Supply Chain Attacks The discovery aligns with the recent finding by the **Microsoft Defender** Security Research Team of 14 malicious npm packages that typosquat well-known **OpenSearch**, **ElasticSearch**, DevOps, and environment-configuration libraries. These packages harvest **AWS** credentials, **HashiCorp Vault** tokens, npm tokens, and CI/CD pipeline secrets from the host environment using a credential harvester launched through a preinstall hook.  These packages, published by "vpmdhaj" on May 28, 2026, include: * @vpmdhaj/devops-tools * @vpmdhaj/elastic-helper * @vpmdhaj/opensearch-setup * @vpmdhaj/search-setup * app-config-utility * elastic-opensearch-helper * env-config-manager * opensearch-config-utility * opensearch-security-scanner * opensearch-setup * opensearch-setup-tool * search-cluster-setup * search-engine-setup * vpmdhaj-opensearch-setup These incidents are part of a surge in supply chain attacks targeting the npm ecosystem: * 164 malicious npm packages across five scoped namespaces exfiltrating environment variables. * 141 malicious npm packages abusing npm for ad-monetized web proxy targeting students. * The "forge-jsxy" npm package, a remote access trojan (RAT) with keylogging, clipboard monitoring, and cryptocurrency wallet scanning capabilities, linked to the "forge-jsx" campaign. * 176 malicious npm packages employing dependency confusion to distribute a postinstall script for reconnaissance and credential theft. **Sonatype** reports that threat actors are moving beyond typosquatting, employing names that appear legitimate in developer workflows to steal data and deploy malicious payloads. This makes routine installs a risk-prone pathway for reconnaissance, credential theft, and compromise.  Popular brandjacking techniques include prefix/suffix addition, dependency confusion, version mimicry, embedded target terms, altered scopes/namespaces, and names resembling legitimate package functions. **BlueVoyant** has linked recent software supply chain compromises to **TeamPCP**, a threat actor known for poisoning developer tools across npm, PyPI, Docker Hub, and Packagist in a worm-like manner. TeamPCP exploits automation, inherited trust, and CI/CD workflows to propagate compromises downstream.