Dotnet

Supply Chain 2026-05-30
Malicious NuGet Package Impersonates Sicoob Banking SDK, Exfiltrates mTLS Certificates Through Sentry
A trojanized NuGet package posing as the official Sicoob C# SDK reads PFX certificates off disk and ships them, plus the password, to an attacker-controlled Sentry endpoint — abusing a trusted telemetry service as its exfiltration channel.
supply-chain nuget dotnet credential-theft mtls malware
vulnerability 2026-04-25
ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade — you have to rotate the key ring.
aspnet-core dotnet cve-2026-40372 dataprotection privilege-escalation signature-bypass out-of-band

Malicious NuGet Package Impersonates Sicoob Banking SDK, Exfiltrates mTLS Certificates Through Sentry