Malicious crate polymarkets-client-sdk

carols10cents · djc · commit 020871da77a1 · 2026-02-19T22:14:04.000+01:00
diff --git a/crates/polymarkets-client-sdk/RUSTSEC-0000-0000.md b/crates/polymarkets-client-sdk/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "polymarkets-client-sdk"
+date = "2026-02-19"
+expect-deleted = true
+
+[versions]
+patched = []
+```
+
+# `polymarkets-client-sdk` was removed from crates.io for malicious code
+
+It appeared to be typosquatting existing crate
+[`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) (`polymarkets` vs
+`polymarket`) and attempting to steal credentials from local files.
+
+The malicious crate had 1 version published on 2026-02-19 an hour before removal and hadn't been
+downloaded. There were no crates depending on this crate on crates.io.
+
+Thanks to Carol Nichols, who is thanking herself for spotting this in the docs.rs build queue and
+removing it quickly!
+
+The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We
+are investigating ways to mitigate this attacker who appears to be very motivated to steal
+Polymarket credentials.
