NuGet Package Steals Banking Credentials in New Supply Chain Attack

Michael Miller · 2026-05-29

If you think your software supply chain is safe, think again. Cybersecurity researchers just uncovered a malicious NuGet package that's been quietly stealing banking credentials from developers and financial institutions. This isn't some run-of-the-mill malware. The package in question, called "Sicoob.Sdk," pretends to be a legitimate C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems. But behind the scenes, it's siphoning client IDs and PFX certificates right under everyone's nose. ### What's Really Going On? According to Socket, versions 2.0.0 through 2.0.4 of this package contain hidden code that exfiltrates sensitive data. We're talking about PFX certificates here, which are basically the digital keys to the kingdom for any financial system. Think of it like this: someone hands you a locked box, tells you it's a tool to help you work faster, but it's actually copying all your keys while you're busy using it. That's exactly what this attack does. The package wasn't just sitting there either. It was actively being downloaded by developers who thought they were getting a legitimate SDK from a trusted source. ### How the Attack Works - The malicious code targets PFX certificate files stored on the developer's machine - It also steals client IDs that are used for API authentication - All this data gets sent to an external server controlled by the attackers The scary part? These certificates aren't just random files. They're used to authenticate transactions and access sensitive banking systems. Once an attacker has them, they can impersonate legitimate users or even entire institutions. ### Why This Matters for You If you're a developer working with financial APIs or any system that uses certificate-based authentication, this should be a wake-up call. Supply chain attacks like this one are becoming more common, and they're getting harder to spot. Here's what you need to watch out for: - Packages that have a suspicious update history or sudden version jumps - Code that makes unexpected network connections - Any package that requests access to certificate stores or private keys ### The Bigger Picture This isn't an isolated incident. The same researchers have also found malicious npm packages targeting cloud secrets. It's a trend that's only going to get worse as more companies move to cloud-based infrastructure. So what can you do? Start by auditing your dependencies. Check every package you're using, especially ones that handle authentication or security credentials. If something feels off, it probably is. ### Protecting Your Development Environment - Use package vulnerability scanners to catch known malicious packages - Implement strict access controls for your development machines - Regularly rotate certificates and API keys - Monitor for unusual outbound network traffic from your build systems Remember, in the world of software development, trust is a dangerous thing. Always verify, never assume. Your security depends on it.