{"id":"RUSTSEC-2026-0019","summary":"`tracing-check` was removed from crates.io for malicious code","details":"This is part of an ongoing campaign to attempt to typosquat crates in the\n[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk)\necosystem to exfiltrate user credentials.\n\nThe malicious crate had 1 version published on 2026-02-24 approximately 4 hours\nbefore removal and had no evidence of actual downloads. There were no crates\ndepending on this crate on crates.io.\n\nThe crates.io team advises anyone developing with Polymarket to review\ndependencies carefully. We are investigating ways to mitigate this attacker who\nappears to be very motivated to steal Polymarket credentials.","aliases":["GHSA-5pmp-jpcf-pwx6"],"modified":"2026-03-17T22:45:08.406629Z","published":"2026-02-24T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tracing-check"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0019.html"}],"affected":[{"package":{"name":"tracing-check","ecosystem":"crates.io","purl":"pkg:cargo/tracing-check"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"os":[],"arch":[]}},"database_specific":{"categories":["malicious"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0019.json","cvss":null,"informational":null}}],"schema_version":"1.7.5"}