Malicious NuGet Package Targets Sicoob Banking Credentials
Cybersecurity researchers have identified a malicious NuGet package, Sicoob.Sdk, which impersonates a C# software development kit for Sicoob, one of Brazil’s largest cooperative financial systems. This package is designed to exfiltrate sensitive information, including client IDs and PFX certificates, posing significant risks to businesses utilizing Sicoob’s banking services.
Versions 2.0.0 through 2.0.4 of Sicoob.Sdk contain code that reads PFX files from disk, Base64-encodes their contents, and transmits the encoded data along with the client ID and PFX password to a hardcoded third-party Sentry endpoint. PFX certificates are crucial for authenticating businesses with the Sicoob banking network, enabling operations such as processing instant payments and generating dynamic Pix QR codes. The unauthorized access to these certificates could allow threat actors to impersonate legitimate businesses, leading to fraudulent transactions and financial losses.
Additionally, the package captures raw Boleto API responses via a separate Sentry path. Boleto is a widely used cash payment method in Brazil for both online and offline purchases. By intercepting these responses, attackers can access sensitive transaction details, including payment statuses, amounts, due dates, and payer or payee information. This exposure could facilitate further financial fraud and compromise the privacy of individuals involved in the transactions.
The Sicoob.Sdk package has been downloaded nearly 500 times, indicating a significant potential impact on businesses relying on Sicoob’s services. The profile behind this package, named sicoob, has also published 11 other NuGet packages, collectively amassing about 6,000 downloads. This suggests a broader campaign targeting developers and businesses within the Sicoob ecosystem.
An alarming aspect of this attack is the source-to-package mismatch between the linked GitHub repository and the artifact distributed via NuGet. The GitHub repository appears legitimate and clean, likely intended to lend credibility to the package. However, the malicious data-stealing functionality is introduced only in the package uploaded to the NuGet registry. This tactic can deceive developers into trusting and integrating the compromised package into their projects.
The discovery of this malicious package coincides with the identification of 14 other malicious npm packages that typosquat well-known libraries to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets. These packages were published by a single threat actor and are designed to extract sensitive information from the host environment using a credential harvester launched through a preinstall hook. This parallel attack underscores the growing trend of supply chain attacks targeting developers and organizations through trusted package repositories.
Organizations that have installed Sicoob.Sdk are strongly advised to take immediate action:
– Remove the malicious package from their systems.
– Treat PFX certificates as compromised and replace them promptly.
– Rotate PFX passwords to prevent unauthorized access.
– Change or disable affected client IDs where applicable.
– Audit Sicoob authentication and API logs for any signs of unusual activity.
These steps are crucial to mitigate the risks posed by the compromised package and to safeguard sensitive financial information from potential exploitation.
The incident highlights the critical importance of vigilance in the software supply chain. Developers and organizations must exercise caution when integrating third-party packages, especially those related to financial operations. Implementing robust security practices, such as verifying the authenticity of packages, monitoring for unusual network activity, and conducting regular security audits, can help prevent similar attacks in the future.
