RUSTSEC-2026-0014

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0014

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0014.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0014

Published

2026-02-19T12:00:00Z

Modified

2026-02-19T22:55:04.047585Z

Summary

`rpc-check` was removed from crates.io for malicious code

Details

It was attempting to steal credentials from the POLYMARKET_PRIVATE_KEY environment variable.

The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io.

Thanks to Sisong Li for finding and reporting this to the crates.io team!

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / rpc-check

Package

Name: rpc-check; View open source insights on deps.dev
Purl: pkg:cargo/rpc-check

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Ecosystem specific

{
    "affects": {
        "functions": [],
        "os": [],
        "arch": []
    },
    "affected_functions": null
}

Database specific

cvss

null

informational

null

source

"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0014.json"