GHSA-5pmp-jpcf-pwx6

Source

https://github.com/advisories/GHSA-5pmp-jpcf-pwx6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pmp-jpcf-pwx6/GHSA-5pmp-jpcf-pwx6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5pmp-jpcf-pwx6

Aliases

RUSTSEC-2026-0019

Published

2026-03-02T18:30:52Z

Modified

2026-03-05T06:11:18.542253Z

Summary

`tracing-check` was removed from crates.io for malicious code

Details

This is part of an ongoing campaign to attempt to typosquat crates in the polymarket-client-sdk ecosystem to exfiltrate user credentials.

The malicious crate had 1 version published on 2026-02-24 approximately 4 hours before removal and had no evidence of actual downloads. There were no crates depending on this crate on crates.io.

The crates.io team advises anyone developing with Polymarket to review dependencies carefully. We are investigating ways to mitigate this attacker who appears to be very motivated to steal Polymarket credentials.

Database specific

{
    "github_reviewed_at": "2026-03-02T18:30:52Z",
    "github_reviewed": true,
    "cwe_ids": [],
    "nvd_published_at": null,
    "severity": "CRITICAL"
}

References

Affected packages

crates.io / tracing-check

Package

Name: tracing-check; View open source insights on deps.dev
Purl: pkg:cargo/tracing-check

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-5pmp-jpcf-pwx6/GHSA-5pmp-jpcf-pwx6.json"