DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5PMP-JPCF-PWX6: GHSA-5PMP-JPCF-PWX6: Malicious Rust Crate 'tracing-check' Targeting Polymarket Developers

#security #cve #cybersecurity #ghsa

GHSA-5PMP-JPCF-PWX6: Malicious Rust Crate 'tracing-check' Targeting Polymarket Developers

Vulnerability ID: GHSA-5PMP-JPCF-PWX6
CVSS Score: Critical
Published: 2026-03-02

A critical supply chain vulnerability involving the malicious Rust crate 'tracing-check', identified in February 2026. This crate, published to the crates.io registry, employed typosquatting techniques to mimic legitimate components of the 'tracing' ecosystem. Its primary objective was the exfiltration of sensitive credentials and private keys from developers utilizing the Polymarket Client SDK. The incident highlights the growing trend of targeted attacks against decentralized finance (DeFi) infrastructure through package repository manipulation.

TL;DR

The 'tracing-check' crate on crates.io contained malicious code designed to steal credentials from Polymarket developers. Published on Feb 24, 2026, it used a 'build.rs' execution vector to exfiltrate environment variables. Developers with this dependency must rotate all secrets immediately.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain (Typosquatting)
  • CVSS: Critical (Malicious Code)
  • Platform: Rust / crates.io
  • Target: Polymarket SDK Developers
  • Exploit Status: Active / Weaponized
  • Advisory ID: GHSA-5PMP-JPCF-PWX6

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines building Rust projects
  • Polymarket SDK Integrations
  • tracing-check: * (Fixed in: N/A (Removed))

Mitigation Strategies

  • Credential Rotation
  • Dependency Auditing
  • Dependency Pinning
  • Network Egress Filtering

Remediation Steps:

  1. Identify if tracing-check is present in Cargo.lock by running cargo tree or grep "tracing-check" Cargo.lock.
  2. If the crate is found, assume total compromise of the host system.
  3. Immediately revoke and rotate all credentials (API keys, private keys, SSH keys) exposed to that environment.
  4. Remove the dependency from Cargo.toml and run cargo update.
  5. Wipe and rebuild the development environment to ensure no persistence mechanisms were installed.

References

Read the full report for GHSA-5PMP-JPCF-PWX6 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)