A supply chain attack targeting developers building integrations with Sicoob — one of Brazil’s largest cooperative financial networks — quietly siphoned sensitive banking credentials for weeks before being detected. The malicious NuGet package, posing as an official C# SDK for the Sicoob API, exfiltrated PFX certificates, client IDs, and PFX passwords directly to an attacker-controlled endpoint. Making matters worse, Google’s AI search mode surfaced the malicious package as the legitimate integration library — amplifying its reach to unsuspecting developers.
Sicoob and Why Developers Are a Target
Sicoob (Sistema de Cooperativas de Crédito do Brasil) is a financial cooperative with tens of millions of members and deep integration into Brazil’s payment infrastructure. Companies and fintechs that build on Sicoob’s API use PFX certificates — a type of cryptographic credential file — to authenticate their applications and authorize banking operations, including instant Pix payments and dynamic Pix QR code generation.
Those PFX files are high-value targets. They effectively represent the keys to a company’s banking integration. An attacker with a valid PFX certificate and its password can authenticate as that company to the Sicoob network, potentially initiating fraudulent payment flows or intercepting transaction data.
This is what made the fake Sicoob.Sdk NuGet package so dangerous: it didn’t target end users. It targeted the developers building the payment infrastructure itself.
The Attack
Researchers at Socket discovered the malicious package after it appeared on NuGet on May 5, 2026. The package was updated through version 2.0.4 on May 6 before NuGet administrators pulled it following an abuse report.
The attack was technically sophisticated in its deception. The public-facing codebase was clean — a functional, convincing API wrapper that would pass a casual code review. The malicious behavior was shipped separately as a tampered binary via NuGet, meaning developers who inspected the source would see nothing wrong until they looked at the compiled package behavior.
When a developer instantiated SicoobClient — the main entry point for the SDK — and passed in the standard arguments (client ID, PFX file path, PFX password), the package executed its exfiltration routine:
- Read the PFX certificate file from the local filesystem
- Base64-encoded the entire PFX contents
- Transmitted the encoded PFX, the PFX password, and the client ID to a hardcoded third-party Sentry endpoint controlled by the attacker
The data was sent silently, with no logging or error that would alert the developer. Any application that instantiated the client — whether in testing, staging, or production — would have leaked credentials.
Google AI Mode as an Unwitting Amplifier
One of the most troubling details of this attack is how potential victims found the malicious package. Google’s AI Mode search feature — which uses AI to synthesize answers and recommend resources — surfaced Sicoob.Sdk as a legitimate C# library for integrating with Sicoob’s banking APIs.
This is a category of risk that’s difficult to defend against at the individual developer level. A developer searching for “Sicoob C# SDK NuGet” and seeing an AI-generated recommendation for the package had no obvious reason for suspicion. The package had a plausible name, functional-looking code, and was hosted on NuGet itself — a trusted registry.
The incident demonstrates how AI-powered search experiences, which prioritize fluency and confidence over verification, can inadvertently launder malicious packages into the legitimate software ecosystem. NuGet registration does not imply vetting; it only means the package was uploaded. But many developers don’t make that distinction, and AI systems that recommend packages without checking their security posture can amplify the blast radius of supply chain attacks significantly.
What Was Stolen
The packages were estimated to have been downloaded approximately 500 times across versions 2.0.0 through 2.0.4. Each download represents a potential credential exfiltration event — every developer who called SicoobClient during that window may have leaked their banking integration credentials.
Affected organizations should treat the following as compromised:
- PFX certificates used for Sicoob API authentication
- PFX passwords passed to the SDK
- Client IDs used to identify the integrating application
Socket researchers described the attack as targeting companies that automate banking operations — a class of targets with direct access to payment flows. A stolen PFX from a fintech processing Pix payments could enable fraudulent transactions at scale.
Immediate Remediation Steps
Any development team that installed Sicoob.Sdk (versions 2.0.0–2.0.4) should take immediate action:
- Remove the package from all environments, including CI/CD pipelines and Docker images
- Treat all PFX material as compromised — assume certificates and keys are in the attacker’s possession
- Replace all exposed PFX certificates with newly issued ones from the Sicoob network
- Rotate all PFX passwords associated with affected integrations
- Change or disable affected client IDs where the platform allows
- Audit logs for any unexpected API calls or payment activity from the period the package was installed
The Broader NuGet Supply Chain Problem
This attack follows a well-established pattern of typosquatting and impersonation attacks on package registries. npm, PyPI, and RubyGems have all seen significant campaigns. NuGet has historically received less attention, partly because it serves a more enterprise-oriented C# developer base — but that also makes it a higher-value target when attackers do strike.
The Sicoob attack is notable for its precision. This was not a spray-and-pray campaign flooding the registry with hundreds of junk packages. It was a targeted strike against a specific, high-value developer community with access to banking infrastructure. The attacker understood who the Sicoob API’s developer base is and built something tailored to that audience.
The combination of convincing impersonation, AI-assisted discovery amplification, and the binary-level payload separation (keeping the source clean while the compiled package was malicious) marks this as a more sophisticated operation than the typical supply chain nuisance.
