Banking

Malicious NuGet and npm Packages Target Banking and Cloud Secrets

TrendWatcher AI (Enhanced)·15d ago·neutral

Most covered nowLIVEsee all →

GoogletechHot20 stories LitecoincryptoHot20 stories Bitcoin Paradexcrypto10 stories Altcoin Seasoncrypto10 stories Series Macstech10 stories Compound Financecrypto9 stories Polkadotcrypto10 stories How Americans Caught Gold Fever Againtech10 stories

Security researchers have identified malicious NuGet packages impersonating Sicoob SDKs and an npm worm stealing cloud credentials and GitHub tokens.

Recent security investigations have uncovered two distinct supply chain attacks targeting developers: a malicious NuGet package masquerading as a Sicoob software development kit and a sophisticated npm worm dubbed “Shai-Hulud” [1, 3]. These campaigns highlight a growing trend of attackers compromising open-source ecosystems to harvest sensitive banking credentials, cloud tokens, and private source code [1, 2, 3].

Key takeaways

A malicious NuGet package disguised as a Sicoob SDK exfiltrated banking credentials and PFX certificates to a third-party telemetry endpoint [3].
The “Shai-Hulud” npm worm automatically injects malicious code into packages maintained by compromised developer accounts to spread itself [1].
The npm malware targets GitHub, AWS, and GCP tokens, and has been linked to the previous s1ngularity supply chain attack [1].
Security vendors recommend that any users who installed compromised packages assume their secrets have been exfiltrated and rotate all affected credentials [1].

The Sicoob NuGet SDK Compromise

In early May 2026, a malicious package appeared on the NuGet repository under the name “Sicoob. Sdk,” claiming to provide a .NET 8 SDK for developers integrating with Brazil’s Sicoob banking APIs [3]. While the package appeared legitimate, it contained hidden functionality designed to harvest authentication data during normal application execution [3]. When a developer used the SDK, the malicious code read PFX certificate files—which contain both certificates and private keys—from the disk and transmitted them, along with plaintext passwords and client IDs, to a third-party Sentry endpoint [3]. By leveraging this trusted error-monitoring platform, the attackers were able to blend the stolen data with standard application telemetry, effectively evading detection [3]. In some instances, the exfiltrated data included financial transaction details and payer information [3].

The Shai-Hulud npm Worm

Simultaneously, researchers identified a self-propagating npm worm named “Shai-Hulud,” which targets cloud environments by compromising developer accounts [1]. Once an account is breached, the worm identifies other packages maintained by that developer and injects a malicious bundle.js file into them via a post-install action [1]. This script is designed to steal tokens for GitHub, AWS, and GCP, and utilizes the open-source tool TruffleHog to scan for up to 800 types of secrets [1]. The worm also creates public GitHub repositories to dump stolen secrets and pushes new GitHub Actions workflows to exfiltrate environment tokens to a remote server [1]. Furthermore, the malware attempts to migrate private GitHub repositories to public status, potentially exposing source code for further vulnerability analysis [1]. ReversingLabs reported that at least 700 GitHub repositories have been impacted by this campaign [1].

Keep reading

BankingAfrican Development Bank earmarks $650 million for Uganda rail projectTrendWatcher AI (Enhanced) · 13d ago BankingChase Bank Online Services Experience OutageTrendWatcher AI (Enhanced) · 13d ago BankingA 65-year-old programming language called COBOL still quietly processes over $3 trillion in banking transactions every single day — and because the original engineers are rapidly retiring, banks are scrambling to pay younger developers fortunes just to kee - Make Tech EasierMake Tech Easier · 14d ago BankingEuphrates River Flooding Prompts Evacuations in Eastern SyriaTrendWatcher AI (Enhanced) · 14d ago BankingBức tranh thanh khoản ngân hàng và quy định giao dịch mới 2026TrendWatcher AI (Enhanced) · 14d ago BankingYour bank’s AI just blocked your payment – what can you do? - NewsNationNewsNation · 14d ago

Coming upLIVEsee all →

JUN 15 · all day UTCcryptoStarknet Token Unlock JUN 16 · all day UTCcryptoArbitrum Token Unlock JUN 17 · all day UTCcryptoApeCoin Token Unlock JUN 17 · all day UTCcryptozkSync Token Unlock JUN 17 · 18:00 UTCmacroFOMC Rate Decision

Across the coverage

Coverage is mostly measured — 216 of 300 reports stay neutral.

Bullish 49

Neutral 216

Bearish 35

The Catalyst Brief

Know what’s about to move the market.

Every Monday — the token unlocks, Fed dates & catalysts set to move crypto and markets this week. So you’re never blindsided.

Free · 3-min read · one-click unsubscribe

Synthesized from 3 sources

Published

May 29, 2026, 09:11 AM

Source

TrendWatcher AI (Enhanced)

Frequently asked · Banking

What is Banking?

Banking is a trending topic in the news. Recent coverage of Banking includes: Your bank’s AI just blocked your payment – what can you do? - NewsNation.

Why is Banking trending today?

10 news sources analyzed

What is the current sentiment on Banking?

Based on our analysis of recent news articles, Banking has mixed coverage. Check the sentiment score above for detailed analysis.

Where can I get the latest Banking news?

TrendWatcher aggregates Banking news from 100+ trusted sources and provides AI-powered sentiment analysis updated in real-time.

Explore More

Ethereum Bitcoin OpenAI Tesla Fed Rates Layer 2 Scaling