Malicious NuGet Package Targets Sicoob Users

Cybersecurity researchers have discovered a malicious NuGet package masquerading as a C# software development kit for Sicoob, one of the largest cooperative financial systems in Brazil. Analysis by Socket reveals that versions 2.0.0 to 2.0.4 of the package "Sicoob.Sdk" contain functions aimed at exfiltrating sensitive information such as client IDs and PFX certificates. The package was published in the NuGet registry and presented itself as legitimate software to gain the trust of developers. The malicious functionality allows attackers to access critical data required for authentication and access to banking services. PFX certificates are particularly valuable as they contain private keys used for encryption and digital signatures.

Socket's security researchers have found that the affected versions of the package are capable of sending data to an external server. This data transmission typically occurs unnoticed, making the detection of the malware more difficult. Developers using the package in their projects could unknowingly jeopardize their systems and those of their customers. The discovery of the malicious package has drawn the attention of the security community to the risks associated with using third-party packages. In software development, it is crucial to verify the integrity and origin of libraries before integrating them into projects.

Utilizing tools to check dependencies can help identify such threats. The vulnerability has been classified as particularly concerning, as it affects not only individuals but also businesses relying on Sicoob services. The possibility of attackers accessing banking data could have severe financial consequences. Security researchers recommend immediately uninstalling all affected versions of the package and switching to secure alternatives. Incidents like this highlight the need for increased awareness of cybersecurity risks in software development.

Companies should provide training to educate their employees about the dangers of malware and phishing attacks. Implementing security policies and conducting regular audits can also help minimize the risk of security incidents. Socket has already removed the affected versions of the package from the NuGet registry. Developers who have downloaded the package should check their systems for signs of compromise. Security researchers advise analyzing logs for suspicious activities and taking additional security measures if necessary.

The incidents surrounding the Sicoob package are not the first of their kind. In recent years, there have been several similar attacks where malicious packages were published in popular repositories. These attacks demonstrate that cybercriminals are constantly developing new methods to bypass security measures and steal sensitive data. The vulnerability affects not only Brazil but could also impact international developer communities accessing Sicoob services. The spread of such malware could have far-reaching implications for the global financial landscape.

Security researchers warn that the threat of malicious software in software development will continue to increase if appropriate security measures are not taken. Socket's security researchers have classified the situation as critical and advise all developers to regularly review their dependencies. Using security tools to analyze NuGet packages can help detect potential threats early. The current threat landscape requires a high level of vigilance and proactive protective measures. The affected versions of the package were removed from the registry on June 1, 2026, and security researchers are working to gather more information about the attackers and their methods.