Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-P5VF-5754-X7P3.md

Created February 13, 2026 22:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/e51f7175998efc03ee338e31abb634a1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/e51f7175998efc03ee338e31abb634a1 to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-P5VF-5754-X7P3: The 'S' Stands for Stealing: Dissecting the Polymarket Typosquat - CVE Security Report
Raw
GHSA-P5VF-5754-X7P3.md

GHSA-P5VF-5754-X7P3: The 'S' Stands for Stealing: Dissecting the Polymarket Typosquat

CVSS Score: 10.0 Published: 2026-02-13 Full Report: https://cvereports.com/reports/GHSA-P5VF-5754-X7P3

Summary

In the fast-moving world of crypto-prediction markets, developers often prioritize speed over security. GHSA-P5VF-5754-X7P3 (also known as RUSTSEC-2026-0011) exploits this urgency through a classic typosquatting attack. By publishing a crate named polymarket-client-sdks—adding a single, pluralizing 's' to the legitimate SDK name—an attacker managed to distribute a malicious payload designed to harvest credentials from developer machines. This wasn't a subtle buffer overflow; it was a brazen smash-and-grab operation targeting AWS keys, SSH credentials, and wallet data, executing automatically the moment the package was compiled.

TL;DR

A malicious Rust crate polymarket-client-sdks impersonated the official polymarket-client-sdk. It contained malware that executed during the build process to scan the host filesystem for sensitive credentials (AWS, SSH, Wallets) and exfiltrate them. If you installed this package between Feb 9 and Feb 13, 2026, your machine is compromised.

Exploit Status: ACTIVE

Technical Details

  • Attack Vector: Supply Chain / Typosquatting
  • Impact: Credential Theft / Data Exfiltration
  • Severity: Critical (Malware)
  • Affected Component: build.rs (Build Script)
  • CWE ID: CWE-1357
  • Exploit Status: Active / Weaponized

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines running cargo build on unverified manifests
  • Developer Workstations (macOS, Linux, Windows)
  • polymarket-client-sdks: = 0.1.0 (Fixed in: Deleted)

Mitigation

  • Dependency Pinning: Always inspect the Cargo.toml of new dependencies.
  • Registry Verification: Check download counts and owner history on crates.io.
  • Sandboxed Builds: Run compilations in isolated containers (Docker) with no network access or restricted filesystem access.
  • Use cargo-audit: Regularly scan project dependencies for reported vulnerabilities.

Remediation Steps:

  1. Remove the malicious crate polymarket-client-sdks from Cargo.toml.
  2. Delete the Cargo.lock file and the target/ directory to clear build artifacts.
  3. Rotate ALL credentials located on the infected machine (AWS, SSH, GPG, API Keys).
  4. Check ~/.bashrc, ~/.zshrc, and systemd services for persistence mechanisms.
  5. Switch to the legitimate crate: polymarket-client-sdk.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment