Sicoob NuGet imposter steals PFX certs and Pix creds
Key insights
- Sicoob.Sdk versions 2.0.0-2.0.4 read PFX certificates from disk and sent them to an attacker-controlled Sentry endpoint over 23 days.
- The same threat actor published 11 additional malicious NuGet packages accumulating roughly 6,000 downloads before the publisher profile was blocked.
- Any .NET app integrating with Sicoob's Pix APIs must rotate PFX certificates, change client credentials, and audit transaction logs for unauthorized payments.
Why this matters
Supply chain attacks on financial API SDKs represent a more targeted threat than traditional credential phishing, because stolen PFX certificates are the exact mutual-TLS artifacts needed to impersonate a live bank integration and authorize real payment transactions. The 6,500 total downloads across 12 malicious packages indicate the attacker ran a sustained, coordinated campaign, meaning NuGet's publisher vetting and package scanning failed to catch active exfiltration code for weeks. For .NET developers integrating with any financial API, this incident establishes that Sentry-based exfiltration is now an active evasion technique, requiring teams to audit outbound traffic from build and integration environments, not just production systems.
Summary
A fake NuGet package impersonating Sicoob's C# SDK stole PFX certificates and banking passwords from .NET developers building Pix payment integrations.
Socket found 'Sicoob.Sdk' versions 2.0.0-2.0.4 read PFX files from disk and sent contents, client IDs, and passwords to an attacker-controlled Sentry endpoint. Live May 5-28, it got ~500 downloads.
Essentially: (Socket, NuGet) caught a wider campaign -- 11 more packages from the same actor totaled ~6,000 downloads before the publisher was blocked.
- Stolen PFX certs could authorize unauthorized Pix transactions in real time.
- Sentry abuse disguised exfiltration as routine error-tracking traffic.
Financial API supply chain attacks are narrowing in precision, targeting the exact credentials needed to impersonate bank integrations.
Potential risks and opportunities
Risks
- .NET developers who downloaded any of the 12 malicious packages before May 28 face live unauthorized Pix transactions if PFX certificates are not rotated promptly
- NuGet and Microsoft face pressure from enterprise .NET financial customers to implement mandatory static analysis flagging certificate-file access in newly published packages
- Sicoob's partner ecosystem faces audit and liability exposure if stolen credentials were used to process fraudulent Pix transactions that cleared before detection
Opportunities
- Software supply chain security vendors (Socket, Phylum, Sonatype) gain direct market validation for proactive malicious-package detection pitched to Brazilian fintech development teams
- NuGet tooling providers (JFrog Xray, Snyk) can pitch mandatory PFX and certificate-access scanning rules to enterprise .NET shops operating in the financial sector
- Brazilian fintech security consultancies and Sicoob integration partners have an immediate opening to offer rapid credential-rotation and log-audit services to affected development teams
What we don't know yet
- Whether any of the ~6,500 affected developers have confirmed stolen PFX certificates were used to authorize unauthorized Pix transactions before the May 28 takedown
- Attribution behind the threat actor -- no government or organized crime link was confirmed in public reporting as of May 28
- Whether Sicoob or Brazil's Banco Central do Brasil has begun monitoring for fraudulent Pix transactions tied to the compromised client credentials
Originally reported by thehackernews.com
Read the original article →Original headline: Malicious 'Sicoob.Sdk' NuGet Package Exfiltrates PFX Certificates and Banking Passwords From .NET Developers Integrating With Brazil's Largest Cooperative Bank