Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Polymarket Client SDK Crate Found to Steal Credentials
GHSA-p5vf-5754-x7p3
Summary
A fake version of the Polymarket Client SDK was uploaded to a public repository. It tried to steal sensitive login information from local files. This has been removed, but users should double-check their dependencies and update the legitimate Polymarket Client SDK to prevent similar issues.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | polymarket-client-sdks | All versions | – |
Original title
`polymarket-client-sdks` was removed from crates.io for malicious code
Original description
It appeared to be typosquatting existing crate [`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) (`sdks` vs `sdk`) and attempting to steal credentials from local files.
The malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io.
Thanks to Roland Peelen for finding and reporting this to the crates.io team!
The malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io.
Thanks to Roland Peelen for finding and reporting this to the crates.io team!
Vulnerability type
CWE-506
Embedded Malicious Code
Published: 13 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026