VDB

GCVE-110-OSM-2026-4948

GCVE-110-OSM-2026-4948
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 5, 2026
Malicious NuGet package impersonating the official SDK of Brazilian financial cooperative Sicoob. Versions 2.0.0-2.0.4 ship a clean GitHub source facade (SicoobClient.cs) but a trojanized compiled DLL (lib/net8.0/Sicoob.Sdk.dll). On SicoobClient construction it exfiltrates banking mTLS material - client IDs, plaintext PFX passwords, base64-encoded PFX certificate archives, and raw boleto API responses - to an attacker-controlled Sentry DSN. Malicious payload found in: lib/net8.0/Sicoob.Sdk.dll (versions 2.0.0-2.0.4) Trigger: SicoobClient constructor (constructor-time injection) Exfil channel (abused legitimate Sentry telemetry): https://d565e3f03d0b1a7c8935d7ff94237316@o4511335034847232.ingest.de.sentry.io/4511337546317904 Sentry public key: d565e3f03d0b1a7c8935d7ff94237316 Sentry ingestion host: o4511335034847232.ingest.de.sentry.io Sentry project ID: 4511337546317904 Exfiltrated data: client IDs, plaintext PFX passwords, base64-encoded PFX certificate archives, raw boleto API responses. Source-to-package mismatch: clean GitHub source, trojanized published DLL.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownSicoob.Sdkall (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›