Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Malicious code found in Polymarket SDK's dependencies
GHSA-5pmp-jpcf-pwx6
Summary
A malicious crate was uploaded to the Polymarket SDK's dependencies on crates.io, attempting to steal user credentials. This crate was quickly removed, but users should review their dependencies carefully to ensure their security. The crates.io team is working to prevent similar attacks in the future.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tracing-check | All versions | – |
Original title
`tracing-check` was removed from crates.io for malicious code
Original description
This is part of an ongoing campaign to attempt to typosquat crates in the [`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) ecosystem to exfiltrate user credentials.
The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We are investigating ways to mitigate this attacker who appears to be very motivated to steal Polymarket credentials.
The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.
The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We are investigating ways to mitigate this attacker who appears to be very motivated to steal Polymarket credentials.
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026