Sicoob.Sdk (NuGet) exfiltrates PFX & client ID; npm campaign steals secrets

A malicious NuGet package Sicoob.Sdk (v2.0.0–2.0.4) steals client IDs and PFX.
Key points:
- Reads PFX, encodes to Base64 and sends client ID, password and PFX to a hard‑coded Sentry; intercepts Boleto responses. Downloaded ≈500 times; NuGet blocked it.
- Concurrently, 14 malicious npm packages ('vpmdhaj') were harvesting AWS/Vault/npm/CI secrets via preinstall scripts.
Recommendations: Uninstall the package; assume PFX compromised—replace certificates and passwords, revoke/rotate client IDs and review logs.
Why it matters: stolen PFX enables impersonation of banking integrations and material financial fraud.
Have you audited your dependencies and CI secrets?
#cybersecurity #supplychain #NuGet #npm


Latest comments
No comments yet.