GHSA-p5vf-5754-x7p3

Source

https://github.com/advisories/GHSA-p5vf-5754-x7p3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p5vf-5754-x7p3/GHSA-p5vf-5754-x7p3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p5vf-5754-x7p3

Aliases

RUSTSEC-2026-0011

Published

2026-02-13T21:02:38Z

Modified

2026-02-14T08:26:18.838806Z

Summary

`polymarket-client-sdks` was removed from crates.io for malicious code

Details

It appeared to be typosquatting existing crate <code>polymarket-client-sdk</code> (sdks vs sdk) and attempting to steal credentials from local files.

The malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io.

Thanks to Roland Peelen for finding and reporting this to the crates.io team!

Database specific

{
    "github_reviewed_at": "2026-02-13T21:02:38Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-506"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

https://rustsec.org/advisories/RUSTSEC-2026-0011.html

Affected packages

crates.io / polymarket-client-sdks

Package

Name: polymarket-client-sdks; View open source insights on deps.dev
Purl: pkg:cargo/polymarket-client-sdks

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p5vf-5754-x7p3/GHSA-p5vf-5754-x7p3.json"