Researchers have uncovered malicious software packages on two popular developer platforms — NuGet and npm — that were designed to steal banking credentials and sensitive login secrets. The most serious case involves a fake package called “Sicoob.Sdk” on NuGet, which impersonated a legitimate tool used by Brazilian developers to connect their apps to Sicoob, one of Brazil’s largest cooperative banking networks. Versions 2.0.0 through 2.0.4 of the package silently read banking certificates stored on the developer’s computer, encoded them, and sent them to the attackers — allowing criminals to potentially impersonate businesses inside Sicoob’s banking system and carry out financial fraud.
On npm, a second campaign involved 14 malicious packages published on May 28, 2026 by a threat actor who crafted package names to look like common developer tools. These packages stole cloud access keys, server passwords, and other secrets from automated build pipelines. Combined, the packages had roughly 6,500 downloads before being identified. If you or your company uses these platforms to build software, it is worth checking your installed packages now.
How to check if you’re affected
Affected versions of Sicoob.Sdk are 2.0.0 through 2.0.4 on NuGet. If you have installed any version in that range, treat your PFX certificates and banking credentials as compromised: revoke and replace certificates, rotate passwords, disable affected client IDs, and review your Sicoob authentication logs for unexpected activity. For npm, search your project’s package.json and package-lock.json for packages published by “vpmdhaj” or any of these names: elastic-opensearch-helper, opensearch-setup-tool, or @vpmdhaj/devops-tools. If found, rotate all environment-variable secrets (AWS keys, HashiCorp Vault tokens, npm tokens) immediately.