Comment by closewith

Yes, a developer for an upstream dependency sold their credentials and the attackers were able to use that to create transactions in client banks' Pix infrastructure.

> Not much opacity here.

I think a black box implemented by a third party that can steal your funds is the definition of opacity.

> They shoud stop relying on poorly paid outside contractors.

A great deal of financial software is written by poorly paid contractors, but it's rare that one set of credentials can introduce systematic risk to a financial system.