Malicious Package Targets Sicoob Developers
A fraudulent NuGet package, named Sicoob.Sdk, has been uncovered by cybersecurity researchers at Socket. The package impersonates the official C# software development kit for Sicoob, a major cooperative financial system in Brazil. Versions 2.0.0 through 2.0.4 of this package are designed to steal client IDs and PFX certificates, which are essential for authenticating businesses with Sicoob’s banking network. These certificates allow automated banking operations, such as processing instant payments and generating dynamic Pix QR codes.
Data Theft and Impact
When a developer initializes the SicoobClient with a client ID, PFX file path, and password, the malicious package reads the PFX file from disk, Base64 encodes its contents, and sends the sensitive data, including the password, to a hardcoded third party Sentry endpoint. Additionally, the package captures raw Boleto API responses, potentially exposing transaction details, payment status, amounts, due dates, and payer or payee information. This stolen data could allow attackers to impersonate the victim’s Sicoob banking API integration, leading to significant financial fraud.
Discovery and Response
The package, attributed to a profile named “sicoob,” had nearly 500 downloads before being blocked by NuGet after responsible disclosure. The same profile also published 11 other NuGet packages that collectively accumulated about 6,000 downloads. Socket noted that the malicious package was even surfaced by Google Search AI Mode as a legitimate library, increasing the risk for unsuspecting developers searching for Sicoob banking APIs.
Source: The Hacker News
