Malicious NuGet and npm Packages Target Banking Credentials and Cloud Secrets in Coordinated Supply Chain Attack

Cybersecurity researchers have uncovered a coordinated supply chain attack targeting both .NET and JavaScript ecosystems, with malicious packages designed to steal banking authentication materials and cloud infrastructure credentials. The campaign centers on a fraudulent NuGet package impersonating Sicoob, one of Brazil's largest cooperative financial systems, alongside 14 npm packages harvesting AWS credentials and CI/CD secrets.

Fake Sicoob SDK Exfiltrates Banking Credentials

Socket researchers identified versions 2.0.0 through 2.0.4 of 'Sicoob.Sdk' containing malicious code that exfiltrates client IDs and PFX certificates used to authenticate businesses with Sicoob's banking network. These credentials enable automated banking operations including instant payment processing and dynamic Pix QR code generation. When developers instantiate SicoobClient with credentials, the package reads PFX files from disk, Base64-encodes the contents, and transmits the client ID, PFX password, and encoded certificate data to a hardcoded third-party Sentry endpoint.

The package also captures raw Boleto API responses through a separate Sentry path. Boleto, a widely-used Brazilian payment method for online and offline purchases, exposes sensitive transaction details including payment status, amounts, due dates, identifiers, and payer data. The compromised authentication material enables threat actors to impersonate victim banking API integrations, potentially leading to unauthorized transactions and data breaches affecting downstream end users.

Source-to-Package Mismatch Conceals Malicious Code

The attack employed sophisticated concealment tactics through source-to-package mismatch. The linked GitHub repository remained clean to provide perceived legitimacy, while malicious data-stealing functionality was introduced only in packages uploaded to NuGet. This technique bypasses cursory security reviews where developers examine linked repositories before installation. The attacker profile 'sicoob' published 11 other NuGet packages accumulating approximately 6,000 total downloads, suggesting broader compromise potential. NuGet has since blocked the malicious package following responsible disclosure.

Coordinated npm Campaign Targets Cloud Infrastructure

Concurrent with the NuGet attack, Microsoft Defender Security Research Team discovered 14 malicious npm packages published May 28, 2026, by threat actor 'vpmdhaj.' These packages typosquat OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries to harvest AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets. A purpose-built credential harvester launches through preinstall hooks, executing before developers can inspect package behavior.

The malicious npm packages include @vpmdhaj/devops-tools, @vpmdhaj/elastic-helper, opensearch-security-scanner, env-config-manager, and search-cluster-setup among others. The attack targets cloud infrastructure credentials that provide broad access to production environments, enabling lateral movement, data exfiltration, and persistent compromise across containerized deployments and CI/CD pipelines.

Broader Ecosystem Assault: 481 Malicious Packages Identified

This campaign represents a small portion of sustained supply chain attacks targeting npm in recent weeks. Researchers identified 164 malicious packages containing postinstall payloads that exfiltrate environment variables to 'oob.moika[.]tech/report.' Another 141 packages published between May 7-27, 2026, abuse npm as free static hosting for ad-monetized web proxies targeting students. The 'forge-jsxy' package implements comprehensive surveillance capabilities including keylogging, clipboard monitoring, .env scanning, shell history exfiltration, screenshot capture, and cryptocurrency wallet scanning.

An additional 176 packages employed dependency confusion using version number '99.99.99' to distribute postinstall scripts that fingerprint hosts, download platform-specific JavaScript payloads, exfiltrate credentials, and execute second-stage binaries. The coordinated timing and sophisticated techniques suggest organized threat actor groups systematically compromising open-source ecosystems at scale.

Evolution Beyond Typosquatting to Manufactured Legitimacy

Sonatype analysis reveals threat actors have evolved beyond classic typosquatting, employing 'manufactured legitimacy' tactics where package names appear convincing within legitimate developer workflows. Techniques include prefix or suffix addition, dependency confusion, version mimicry, embedded target terms, altered scopes or namespaces, and functional naming that resembles authentic packages. This transforms routine package installation into high-risk activities enabling reconnaissance, credential theft, and downstream compromise.

These attacks demonstrate attackers designing packages to appear plausible, useful, and operationally routine inside modern software ecosystems rather than relying on developer typing errors. The shift requires defenders to implement comprehensive supply chain security beyond simple name validation, including behavioral analysis, source code verification, and continuous monitoring of package update patterns.

Defense Recommendations

Security teams must implement multi-layered supply chain defenses. Deploy automated scanning tools that detect preinstall and postinstall hooks, analyze package behavior for network connections and file system access, and verify source-to-package consistency. Establish internal package registries with approval workflows for external dependencies. Implement least-privilege principles for build environments to limit credential exposure if compromise occurs.

• Enable dependency lock files and verify cryptographic hashes before installation
• Monitor package installation logs for unexpected preinstall or postinstall script execution
• Audit developer workstations and CI/CD systems that may have installed compromised packages
• Implement network segmentation to prevent exfiltration from build environments
• Use software composition analysis tools with behavioral detection capabilities
• Establish vendor verification processes before adopting new dependencies
• Review and rotate credentials accessible from compromised environments
• Subscribe to security advisories for package registries and ecosystem security research

The convergence of AI-amplified discovery mechanisms with sophisticated concealment techniques marks a critical inflection point in supply chain security. Organizations must assume compromise risk exists in any external dependency and architect defensive controls accordingly. The scale and coordination of recent campaigns—481 malicious packages in weeks—demonstrates attackers have industrialized supply chain exploitation, requiring equally systematic defensive responses from development and security teams.