Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: banking (1 article)Clear

Malicious 'Sicoob.Sdk' NuGet steals Brazilian banking PFX certificates via hardcoded Sentry endpoint - amplified by Google Search AI Mode

Socket has flagged a malicious NuGet package, Sicoob.Sdk (versions 2.0.0-2.0.4), that masquerades as a C# SDK for Sicoob, one of Brazil's largest cooperative financial systems, and steals PFX certificates used to authenticate businesses with Sicoob's banking APIs. When a developer instantiates SicoobClient, the package reads the PFX file from disk, Base64-encodes it, and exfiltrates the client ID, PFX password, and encoded certificate to a hardcoded third-party Sentry endpoint. It also captures raw Boleto API responses. The package was downloaded ~500 times and the publisher has 11 other NuGet packages with ~6,000 combined downloads. Google Search AI Mode reportedly amplified the package as legitimate.

Check
Inventory C# projects for Sicoob.Sdk versions 2.0.0-2.0.4 and the publisher's 11 other packages. Search outbound traffic to the attacker Sentry endpoint identified in Socket's IoCs.
Affected
C# developers integrating with Sicoob banking APIs in Brazil. Any project that pulled Sicoob.Sdk via NuGet had PFX certificates, client IDs, and Boleto data harvested.
Fix
Remove all 12 affected NuGet packages and rotate every Sicoob PFX certificate and client credential reachable from affected hosts. Verify NuGet package signatures match expected GitHub source going forward.