GHSA-5PMP-JPCF-PWX6: GHSA-5PMP-JPCF-PWX6: Malicious Rust Crate 'tracing-check' Targeting Polymarket Developers

GHSA-5PMP-JPCF-PWX6: Malicious Rust Crate 'tracing-check' Targeting Polymarket Developers Vulnerability ID: GHSA-5PMP-JPCF-PWX6 CVSS Score: Critical Published: 2026-03-02 A critical supply chain vulnerability involving the malicious Rust crate 'tracing-check', identified in February 2026. This crate, published to the crates.io registry, employed typosquatting techniques to mimic legitimate components of the 'tracing' ecosystem. Its primary objective was the exfiltration of sensitive credentials and private keys from developers utilizing the Polymarket Client SDK. The incident highlights the growing trend of targeted attacks against decentralized finance (DeFi) infrastructure through package repository manipulation. TL;DR The 'tracing-check' crate on crates.io contained malicious code designed to steal credentials from Polymarket developers. Published on Feb 24, 2026, it used a 'build.rs' execution vector to exfiltrate environment variables. Developers with this dependency must rotate a