If you haven't guessed it by now, the two CDs were actually packed full of malware, and the letter wasn't really from the NCUA.  Reportedly (according to the SANS Internet Storm Center) the packages were sent from Microsolved as part of an authorized security test.

Nonetheless, the NCUA has responded, issuing a warning.  The NCUA states, "A federally insured credit union has reported receiving a bogus Letter to Credit Unions, accompanied by two compact discs (CDs). The subject of the fraudulent letter itself is a purported NCUA FRAUD Alert. The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES."

The letter which comes in the packages bears many hallmarks of a phishing scheme including typos and grammatical errors.  An excerpt from it:

The NCUA has warned numerous times 1 about "phishing" scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies or government agencies asking consumers to "re-submit" or "verify" confidential information such as bank accounts, Social Security Numbers, passwords, and personal identification numbers...

Please read the included document, as it contains important training and informational material regarding the risks of fraud...

While it appears the campaign may only be a test, it demonstrates an attack route that has not been executed in some time, though much talked about.  Given the lack of good reasoning that many users seem to have when it comes to security, the attack may experience great success.