- Reported
-
- Issued
-
- Package
-
polymarkets-client-sdk
(crates.io)
- Type
-
Vulnerability
- Patched
-
no patched versions
Description
It appeared to be typosquatting existing crate
polymarket-client-sdk (polymarkets vs
polymarket) and attempting to steal credentials from local files.
The malicious crate had 1 version published on 2026-02-19 an hour before removal and hadn't been
downloaded. There were no crates depending on this crate on crates.io.
Thanks to Carol Nichols, who is thanking herself for spotting this in the docs.rs build queue and
removing it quickly!
The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We
are investigating ways to mitigate this attacker who appears to be very motivated to steal
Polymarket credentials.
Advisory available under CC0-1.0
license.