Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords
Malicious NuGet package impersonates Sicoob SDK to steal banking certificates and passwords.
Summary
A fake Sicoob.Sdk NuGet package (versions 2.0.0–2.0.4) exfiltrated banking authentication material including client IDs, PFX passwords, and base64-encoded certificate archives through a hardcoded Sentry endpoint. The malicious package was published under a spoofed publisher identity and linked GitHub organization, reaching 484 downloads before NuGet blocked it. Affected organizations must immediately revoke compromised PFX certificates, rotate credentials, and audit Sicoob API logs for unauthorized access.
Full text
Research/Security NewsTrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.ioTrapDoor crypto stealer hits 36 malicious packages across npm, PyPI, and Crates.io, targeting crypto, DeFi, AI, and security developers.By Socket Research Team - May 24, 2026
Indicators of Compromise
- domain — o4511335034847232.ingest.de.sentry.io
- url — https://d565e3f03d0b1a7c8935d7ff94237316@o4511335034847232.ingest.de.sentry.io/4511337546317904
- malware — Sicoob.Sdk