How the Attack Worked
A malicious package named Sicoob.Sdk was published on the NuGet package repository in early May 2026, posing as an official software development kit for Brazil’s Sicoob banking platform. The package, which saw multiple version releases from 2.0.0 to 2.0.4, claimed to offer .NET 8 integration for authentication, mutual TLS, and API communication. It attracted 484 downloads before being removed. Developers working on financial applications were the primary targets, as Sicoob serves millions of users across Brazil.
The rogue SDK contained hidden data exfiltration code that activated during normal initialization. When a developer provided a client ID, a PFX certificate file, and a password, the package secretly read the certificate from disk and encoded it. It then transmitted the certificate archive, along with the plaintext password and client ID, to a third party Sentry endpoint. Since PFX files contain both a certificate and its private key, attackers who obtain this data can impersonate legitimate banking integrations and gain unauthorized access to financial APIs.
Impact and Scope
A particularly concerning aspect of this attack is its use of legitimate telemetry infrastructure to avoid detection. Instead of connecting to traditional command and control servers, the malicious SDK leveraged Sentry, a widely trusted error monitoring platform, to transmit stolen credentials. This approach allowed the exfiltration to blend in with normal application telemetry, making it difficult for security tools to flag the activity as malicious.
Static and dynamic analysis confirmed that the credential harvesting occurred during SDK initialization in production mode. The code initialized a hardcoded Sentry configuration and sent captured credentials as part of a telemetry message. In some cases, even sensitive financial transaction data such as boleto payment responses could be exposed, potentially leaking transaction details and payer information. This incident highlights the growing threat of supply chain attacks targeting the financial sector through compromised development tools.
Source: Cyber Security News
