Malicious NuGet Package Sicoob.Sdk Exfiltrates Client IDs and PFX Certificates

Security researchers discovered that the NuGet package Sicoob.Sdk, marketed as a C# SDK for Brazil’s largest cooperative financial system, was compromised in versions 2.0.0 through 2.0.4. The malicious code was designed to exfiltrate sensitive data, including client IDs and PFX certificates that are used for authentication and signing. The package masquerades as a legitimate SDK, making it difficult for developers to detect the compromise. Socket, the security firm that uncovered the issue, identified the exfiltration payload in the package’s build scripts and runtime libraries. The attackers leveraged the SDK’s ability to load certificates from the local machine, allowing them to harvest PFX files used by Sicoob’s clients. The exfiltration traffic was sent to a remote server controlled by the threat actors, and the data was used to facilitate further attacks on financial systems. The discovery highlights the risks of third‑party packages that handle cryptographic material. Researchers recommend removing the compromised package and revoking any exposed certificates immediately.

The affected versions 2.0.0, 2.0.1, 2.0.2, 2.0.3, and 2.0.4 all contain the same malicious payload. The code was obfuscated and hidden within the SDK’s authentication module, making static analysis challenging. The exfiltration mechanism used HTTP POST requests to a hard‑coded endpoint that was not publicly documented. The attackers also added a backdoor that could be triggered by a custom header, allowing remote control of the SDK. The incident underscores the importance of vetting third‑party libraries that handle sensitive credentials.