Brazilian Bank Users Targeted By Sneaky NuGet Malware Campaign
By 813 Staff
Under the hood, a significant change is emerging — Brazilian Bank Users Targeted By Sneaky NuGet Malware Campaign, according to The Hacker News (@TheHackersNews) (in the last 24 hours).
Source: https://x.com/TheHackersNews/status/2060288306676740209
The cybersecurity community is tracking a two-front supply chain attack. A malicious package on the NuGet package manager is actively stealing Brazilian bank credentials, while a separate cluster of tainted npm packages targets developer environments.
Internal documents shared with security teams reveal that the Sicoob NuGet package, masquerading as a legitimate integration library for the Brazilian credit union system, contains obfuscated credential-harvesting code. Engineers close to the project say the payload specifically targets online banking sessions for Sicoob and other major Brazilian financial institutions, exfiltrating login credentials and session tokens to a remote command-and-control server. The package was uploaded to NuGet in mid-May and has seen hundreds of downloads before security researchers flagged its behavior. The rollout to detection has been anything but smooth—Microsoft’s NuGet security team has removed the package from listings, but the software development kits used by Brazilian fintech companies may already be compromised in downstream dependencies.
Simultaneously, The Hacker News (@TheHackersNews) reported that a separate campaign is actively deploying malicious npm packages. While the NuGet attack targets Brazilian bank users directly, the npm packages appear designed to infect CI/CD pipelines. The exact infection vector remains under analysis, but researchers suspect the packages install cryptominers and backdoors that persist after build processes complete. The npm packages were published under names closely resembling popular open-source utilities—a classic typosquatting tactic—and have been downloaded thousands of times before being flagged.
The twin attacks highlight a growing trend: supply chain compromises are no longer limited to opportunistic cryptomining. They are now being weaponized for financial theft and persistent lateral access. For developers using either package ecosystem, the immediate impact is clear—any system where these packages were installed should be treated as fully compromised. The Sicoob credential theft, in particular, could cascade into banking fraud for Brazilian consumers who use fintech apps built on compromised dependencies.
What comes next is uncertain. NuGet and npm maintainers have pulled the confirmed packages, but the identities of the attackers remain unknown. The security community is now scanning for additional packages linked by code obfuscation patterns. For now, developers are advised to audit their dependency trees and review any recent installs from these registries. Expect follow-up advisories in the coming days as reverse engineers unspool the full command-and-control infrastructure.
Source: https://x.com/TheHackersNews/status/2060288306676740209
