File tree Expand file tree Collapse file tree 2 files changed +56
-0
lines changed
Expand file tree Collapse file tree 2 files changed +56
-0
lines changed Original file line number Diff line number Diff line change 1+ ``` toml
2+ [advisory ]
3+ id = " RUSTSEC-0000-0000"
4+ package = " tracing_checks"
5+ date = " 2026-02-26"
6+ expect-deleted = true
7+
8+ [versions ]
9+ patched = []
10+ ```
11+
12+ # ` tracing_checks ` was removed from crates.io for transitively including malicious code
13+
14+ This is part of an ongoing campaign to attempt to typosquat crates in an
15+ attempt to exfiltrate Polymarket credentials.
16+
17+ The malicious crate had 1 version published on 2026-02-26 approximately 9 hours
18+ before removal and had no evidence of actual usage, both in terms of downloads
19+ and dependents. It did not include the malware payload itself; this was instead
20+ delivered via the ` tracings ` crate, which has received a separate advisory.
21+
22+ Thanks to Marko Ćupić for finding and reporting this to the Rust security
23+ response working group, and to Emily Albini for co-ordinating with the
24+ crates.io team.
25+
26+ The crates.io team advises anyone developing with Polymarket to review
27+ dependencies carefully. We are investigating ways to mitigate this attacker who
28+ appears to be very motivated to steal Polymarket credentials.
Original file line number Diff line number Diff line change 1+ ``` toml
2+ [advisory ]
3+ id = " RUSTSEC-0000-0000"
4+ package = " tracings"
5+ date = " 2026-02-26"
6+ expect-deleted = true
7+
8+ [versions ]
9+ patched = []
10+ ```
11+
12+ # ` tracings ` was removed from crates.io for malicious code
13+
14+ This is part of an ongoing campaign to attempt to typosquat crates in an
15+ attempt to exfiltrate Polymarket credentials.
16+
17+ The malicious crate had 1 version published on 2026-02-26 approximately 9 hours
18+ before removal and had no evidence of actual usage. The only crate depending on
19+ this crate was the ` tracing_checks ` crate, which was also part of this campaign
20+ and has received a separate advisory.
21+
22+ Thanks to Marko Ćupić for finding and reporting this to the Rust security
23+ response working group, and to Emily Albini for co-ordinating with the
24+ crates.io team.
25+
26+ The crates.io team advises anyone developing with Polymarket to review
27+ dependencies carefully. We are investigating ways to mitigate this attacker who
28+ appears to be very motivated to steal Polymarket credentials.
You can’t perform that action at this time.
0 commit comments