{"id":"RUSTSEC-2026-0027","summary":"`tracings` was removed from crates.io for malicious code","details":"This is part of an ongoing campaign to attempt to typosquat crates in an\nattempt to exfiltrate Polymarket credentials.\n\nThe malicious crate had 1 version published on 2026-02-26 approximately 9 hours\nbefore removal and had no evidence of actual usage. The only crate depending on\nthis crate was the `tracing_checks` crate, which was also part of this campaign\nand has received a separate advisory.\n\nThanks to Marko Ćupić for finding and reporting this to the Rust security\nresponse working group, and to Emily Albini for co-ordinating with the\ncrates.io team.\n\nThe crates.io team advises anyone developing with Polymarket to review\ndependencies carefully. We are investigating ways to mitigate this attacker who\nappears to be very motivated to steal Polymarket credentials.","modified":"2026-03-17T22:45:08.475451Z","published":"2026-02-26T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tracings"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0027.html"}],"affected":[{"package":{"name":"tracings","ecosystem":"crates.io","purl":"pkg:cargo/tracings"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0027.json","categories":["malicious"],"informational":null}}],"schema_version":"1.7.5"}