- Reported
-
- Issued
-
- Package
-
polymarkets-rs-clob-client
(crates.io)
- Type
-
Vulnerability
- Patched
-
no patched versions
Description
This is part of an ongoing campaign to attempt to typosquat crates in the
polymarket-client-sdk
ecosystem to exfiltrate user credentials.
The malicious crate had 1 version published on 2026-02-19 approximately 20
hours before removal and had no evidence of actual downloads. There were no
crates depending on this crate on crates.io.
Thanks to Adam Harvey at the Rust Foundation, who is awkwardly thanking himself
in this instance.
The crates.io team advises anyone developing with Polymarket to review
dependencies carefully. We are investigating ways to mitigate this attacker who
appears to be very motivated to steal Polymarket credentials.
Advisory available under CC0-1.0
license.