RUSTSEC-2026-0011

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2026-0011
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0011.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2026-0011
Aliases
Published
2026-02-13T12:00:00Z
Modified
2026-02-14T08:13:56Z
Summary
`polymarket-client-sdks` was removed from crates.io for malicious code
Details

It appeared to be typosquatting existing crate <code>polymarket-client-sdk</code> (sdks vs sdk) and attempting to steal credentials from local files.

The malicious crate had 1 version published on 2026-02-09 and had been downloaded only 33 times. There were no crates depending on this crate on crates.io.

Thanks to Roland Peelen for finding and reporting this to the crates.io team!

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / polymarket-client-sdks

Package

Name
polymarket-client-sdks
View open source insights on deps.dev
Purl
pkg:cargo/polymarket-client-sdks

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "os": [],
        "arch": []
    },
    "affected_functions": null
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0011.json"
categories 
[]
cvss 
null
informational 
null