{"id":"RUSTSEC-2026-0015","summary":"`polymarkets-client-sdk` was removed from crates.io for malicious code","details":"It appeared to be typosquatting existing crate\n[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) (`polymarkets` vs\n`polymarket`) and attempting to steal credentials from local files.\n\nThe malicious crate had 1 version published on 2026-02-19 an hour before removal and hadn't been\ndownloaded. There were no crates depending on this crate on crates.io.\n\nThanks to Carol Nichols, who is thanking herself for spotting this in the docs.rs build queue and\nremoving it quickly!\n\nThe crates.io team advises anyone developing with Polymarket to review dependencies carefully. We\nare investigating ways to mitigate this attacker who appears to be very motivated to steal\nPolymarket credentials.","modified":"2026-03-17T22:45:11.433607Z","published":"2026-02-19T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/polymarkets-client-sdk"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0015.html"}],"affected":[{"package":{"name":"polymarkets-client-sdk","ecosystem":"crates.io","purl":"pkg:cargo/polymarkets-client-sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0015.json","categories":["malicious"],"informational":null,"cvss":null}}],"schema_version":"1.7.5"}