VDB
GCVE-110-OSM-2026-4948
GCVE-110-OSM-2026-4948
Advisory PublishedCVSS 9.6/10
Malicious NuGet package impersonating the official SDK of Brazilian financial cooperative Sicoob. Versions 2.0.0-2.0.4 ship a clean GitHub source facade (SicoobClient.cs) but a trojanized compiled DLL (lib/net8.0/Sicoob.Sdk.dll). On SicoobClient construction it exfiltrates banking mTLS material - client IDs, plaintext PFX passwords, base64-encoded PFX certificate archives, and raw boleto API responses - to an attacker-controlled Sentry DSN.
Malicious payload found in: lib/net8.0/Sicoob.Sdk.dll (versions 2.0.0-2.0.4)
Trigger: SicoobClient constructor (constructor-time injection)
Exfil channel (abused legitimate Sentry telemetry): https://d565e3f03d0b1a7c8935d7ff94237316@o4511335034847232.ingest.de.sentry.io/4511337546317904
Sentry public key: d565e3f03d0b1a7c8935d7ff94237316
Sentry ingestion host: o4511335034847232.ingest.de.sentry.io
Sentry project ID: 4511337546317904
Exfiltrated data: client IDs, plaintext PFX passwords, base64-encoded PFX certificate archives, raw boleto API responses.
Source-to-package mismatch: clean GitHub source, trojanized published DLL.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | Sicoob.Sdk | all (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.