A fake Sicoob NuGet SDK exfiltrated mTLS certificates through Sentry

2026-05-28by

#security #supply-chain #nuget #dotnet #csharp

TL;DR

Sicoob.Sdk 2.0.0 through 2.0.4 on NuGet impersonated Brazil's Sicoob cooperative banking APIs. The published Sicoob.Sdk.dll exfiltrates client ID, plaintext PFX password, and base64-encoded PFX file contents to a hardcoded third-party Sentry DSN when SicoobClient is constructed with isSandbox: false.
The linked Sicoob-Cooperativa GitHub org shows ordinary mTLS setup in source; Socket found no SentrySdk.Init, File.ReadAllBytes, or CaptureMessage exfil path in the visible C# tree. Treat the repo as a clean-source façade for a malicious artifact.
NuGet blocked the package after Socket's report. If you instantiated the client with real credentials, revoke the PFX, rotate passwords and client IDs, and hunt egress to o4511335034847232.ingest.de.sentry.io.

The attack hides in the constructor, not a postinstall script

Most registry malware this month has screamed through postinstall, build.rs, or autoload.files. Sicoob.Sdk is quieter: it asks for exactly what a real Sicoob integration needs (client ID, PFX path, PFX password), loads the certificate for mutual TLS, then phones home during SicoobClient construction before your app calls a financial API.

Socket's static and dynamic analysis of versions 2.0.0–2.0.4 (full write-up) shows the production path:

isSandbox is false (the documented production constructor).
SentrySdk.Init runs with a hardcoded DSN pointing at o4511335034847232.ingest.de.sentry.io.
File.ReadAllBytes(this.PfxPath) reads the certificate archive from disk.
SentrySdk.CaptureMessage sends a string bundling client ID, PFX password, and base64 PFX bytes.

Sandbox mode skips Sentry initialization, which makes local tests with dummy certs less likely to trip the wire while CI and production builds with real material do.

That is a different trust failure than "run this shell hook on install." The SDK is the secret handler. Any host that constructs SicoobClient with production flags, including build agents mounting real PFX files from secret stores, can leak banking mTLS material in one line of startup code.

Clean GitHub, dirty DLL

The impersonation stack is layered:

NuGet owner sicoob listed 12 Sicoob-branded packages; the wrapper Sicoob.Sdk pulled in eleven generated API client modules. Socket did not see the same standalone Sentry exfil logic in those siblings, but they share the same publisher identity as the confirmed-malicious wrapper.
GitHub org Sicoob-Cooperativa (created 2026-05-04, unverified, zero public members) hosts repos labeled "SDK Oficial." The long-standing github.com/Sicoob account (since 2017, Brasília location, links to www.sicoob.com.br) has no public tie to the NuGet publisher Socket reviewed.
Public SicoobClient.cs in the lure repo configures X509Certificate2 for mTLS and does not contain the Sentry capture path. The .csproj lists a Sentry package dependency, but the exfil behavior lives only in lib/net8.0/Sicoob.Sdk.dll on NuGet.

Same-week supply-chain stories often rewrite tags or tarballs in plain sight (our laravel-lang note). Here the scam is binary divergence: reviewers who only skim GitHub miss the payload entirely.

Socket also notes Google's AI search experience surfacing Sicoob.Sdk as the .NET path for Sicoob API work, which pushes impersonation into discovery, not just typosquatting on the gallery page.

What to grep for and what to rotate

Remove any reference to Sicoob.Sdk or the sicoob NuGet profile until Sicoob confirms an official package through channels you trust.

Search code, lockfiles, pipeline YAML, and secret mounts for:

<PackageReference Include="Sicoob.Sdk" />

new SicoobClient(

Network and EDR telemetry for:

o4511335034847232.ingest.de.sentry.io

If a machine or pipeline ran the malicious DLL with real clientId, pfxPath, and pfxPassword, assume the PFX archive and password are burned. Revoke and reissue the certificate with Sicoob, rotate client IDs where the API allows it, and review Sicoob-side logs for token issuance, Pix, boleto, or account APIs you did not expect.

Socket reported 484 total downloads across six versions before NuGet blocked the package. Small numbers still hurt when the victim is a treasury integration or a CI job with live certs.

Why Sentry makes this worse to spot

Sentry is a legitimate crash and diagnostics sink. This package abuses it as an exfiltration channel that looks like "telemetry" in dependency graphs and outbound firewall rules. A PFX file is not a stack trace; shipping it inside CaptureMessage is not a reasonable observability practice, and no banking SDK should ever transmit the password that unlocks the private key.

Static analysis also flagged a separate path that captures raw boleto API responses (Brazilian payment-slip records that can carry payer, payee, and amount fields). Socket confirmed the PFX path dynamically; treat boleto capture as an additional static finding to watch for in your logs.

Sources

Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords (Socket, 2026-05-28 — mechanism, IL trace, source/package mismatch, IoCs, impact)
Sicoob-Cooperativa on GitHub (impersonation org cited in Socket's analysis)
Sicoob on GitHub (long-running official org for contrast with the impersonation org)