- Reported
-
- Issued
-
- Package
-
rpc-check
(crates.io)
- Type
-
Vulnerability
- Patched
-
no patched versions
Description
This is part of an ongoing campaign to attempt to typosquat crates in the
polymarket-client-sdk
ecosystem to exfiltrate user credentials.
The malicious crate had 6 versions published from 2026-02-20 onwards and had no
evidence of actual usage. There were no crates depending on this crate on
crates.io.
Thanks to Eren for finding and reporting this to the Rust security response
working group, and to Emily Albini for co-ordinating with the crates.io team.
The crates.io team advises anyone developing with Polymarket to review
dependencies carefully. We are investigating ways to mitigate this attacker who
appears to be very motivated to steal Polymarket credentials.
Advisory available under CC0-1.0
license.