Versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" were engineered to steal the very credentials developers supply to automate banking tasks: client IDs, PFX passwords and the PFX certificate bytes themselves — the package has been downloaded nearly 500 times, researchers report.
Sicoob.Sdk (versions 2.0.0–2.0.4): how the package stole banking credentials
Security researchers at Socket found that a NuGet package masquerading as a C# SDK for Sicoob, a major Brazilian cooperative financial system, contained deliberate data-exfiltration code. As security researcher Kirill Boychenko described it: "When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint." The package also routes raw Boleto API responses to a separate Sentry path, potentially exposing payment statuses, amounts, due dates and payer/payee identifiers.
Registry takedown, profile activity, and Google Search AI Mode amplification
Following responsible disclosure, NuGet blocked the malicious "Sicoob.Sdk" package. Socket noted the profile behind that package — named "sicoob" — also listed 11 other NuGet packages that have accumulated roughly 6,000 downloads in total. The company said Google Search AI Mode surfaced the malicious artifact as a legitimate C# library for interacting with Sicoob banking APIs, amplifying exposure to unsuspecting developers searching for integration code.
Source-to-package mismatch and operational deception
Socket highlighted a source-to-package mismatch: the linked GitHub repository appeared clean while the published NuGet artifact contained the malicious functionality. Socket suspects the repository was kept benign to lend legitimacy, with the data-stealing code introduced only in the package uploaded to the registry. That mismatch raises the risk that routine dependency installs — particularly for SDKs tied to financial integrations — can quietly exfiltrate sensitive authentication material.
Related npm campaigns and the "vpmdhaj" actor
The Sicoob incident comes amid a broader torrent of malicious activity across npm registries. The Microsoft Defender Security Research Team reported 14 malicious npm packages published on May 28, 2026, by a single actor using the handle "vpmdhaj" and the email "a39155771@gmail.com" that harvest AWS credentials, HashiCorp Vault tokens, npm tokens and CI/CD secrets via a preinstall hook. The package names Microsoft Defender listed are:
- @vpmdhaj/devops-tools
- @vpmdhaj/elastic-helper
- @vpmdhaj/opensearch-setup
- @vpmdhaj/search-setup
- app-config-utility
- elastic-opensearch-helper
- env-config-manager
- opensearch-config-utility
- opensearch-security-scanner
- opensearch-setup
- opensearch-setup-tool
- search-cluster-setup
- search-engine-setup
- vpmdhaj-opensearch-setup
Microsoft Defender's disclosure joins multiple simultaneous npm campaigns described by researchers: 164 malicious packages that report environment variables to "oob.moika[.]tech/report," 141 packages that abuse npm as free hosting for ad-monetized proxy pages, a "forge-jsxy" package with extensive host-compromise capabilities, and 176 packages exploiting dependency confusion via a "99.99.99" version trick to run postinstall scripts and download payloads.
Manufactured legitimacy, TeamPCP’s tactics, and researcher warnings
Supply chain security firm Sonatype characterized the shifting attacker playbook as moving beyond classic typosquatting into "manufactured legitimacy" — choosing package names and patterns that look plausible in legitimate developer workflows. As Sonatype put it: "'Typosquatting' is now too narrow a label for what this analysis captures." The company cataloged brandjacking techniques including prefix/suffix addition, dependency confusion, version mimicry, embedded target terms and altered scopes.
Those tactics echo past campaigns attributed to TeamPCP (also named Replicating Marauder and UNC6780). BlueVoyant researcher Michael Warren warned that the adversary "was not just inserting malicious code into packages, but also exploiting automation, inherited trust, and ordinary CI/CD workflows to push compromise further downstream." Warren added that this tactical shift turned single poisoned dependencies into a reproducible method for victim-to-victim expansion.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Immediately remove "Sicoob.Sdk" if installed; treat PFX material as compromised; replace exposed PFX certificates; rotate PFX passwords; change or disable affected client IDs; and audit Sicoob authentication and API logs for unusual activity, per Socket's recommendations.
- Affected enterprises and procurement leaders: Validate the provenance of SDKs and runtime packages, inspect registry artifacts for source-to-package mismatches, and consider controls that block unexpected postinstall or preinstall hooks — these are the vectors Microsoft Defender and other teams observed in recent npm campaigns.
- End users and customers of affected payment systems: Organizations that rely on Sicoob integrations should be alert to potential downstream financial-data leaks or payment abuse stemming from compromised API authentication material.
The recent cluster of findings — a NuGet SDK designed to siphon PFX certificates, a coordinated set of npm typosquats, and a renewed emphasis on manufactured legitimacy — shows attackers are converting ordinary developer workflows into reconnaissance and credential-theft pipelines. The practical question for defenders is whether registry hygiene, discovery of source-to-package mismatches, and rapid credential rotation can keep pace with attackers who now design packages to look operationally routine.




