{"id":"RUSTSEC-2026-0016","summary":"`polymarkets-rs-clob-client` was removed from crates.io for malicious code","details":"This is part of an ongoing campaign to attempt to typosquat crates in the\n[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)\necosystem to exfiltrate user credentials.\n\nThe malicious crate had 1 version published on 2026-02-19 approximately 20\nhours before removal and had no evidence of actual downloads. There were no\ncrates depending on this crate on crates.io.\n\nThanks to Adam Harvey at the Rust Foundation, who is awkwardly thanking himself\nin this instance.\n\nThe crates.io team advises anyone developing with Polymarket to review\ndependencies carefully. We are investigating ways to mitigate this attacker who\nappears to be very motivated to steal Polymarket credentials.","modified":"2026-03-17T22:45:08.587280Z","published":"2026-02-20T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/polymarkets-rs-clob-client"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0016.html"}],"affected":[{"package":{"name":"polymarkets-rs-clob-client","ecosystem":"crates.io","purl":"pkg:cargo/polymarkets-rs-clob-client"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affects":{"functions":[],"arch":[],"os":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0016.json","informational":null,"categories":["malicious"],"cvss":null}}],"schema_version":"1.7.5"}