GHSA-5PMP-JPCF-PWX6
GHSA-5PMP-JPCF-PWX6: Malicious Rust Crate 'tracing-check' Targeting Polymarket Developers
Amit Schendel
Senior Security ResearcherMar 2, 2026·4 min read·26 visits
Executive Summary (TL;DR)
The 'tracing-check' crate on crates.io contained malicious code designed to steal credentials from Polymarket developers. Published on Feb 24, 2026, it used a 'build.rs' execution vector to exfiltrate environment variables. Developers with this dependency must rotate all secrets immediately.
A critical supply chain vulnerability involving the malicious Rust crate 'tracing-check', identified in February 2026. This crate, published to the crates.io registry, employed typosquatting techniques to mimic legitimate components of the 'tracing' ecosystem. Its primary objective was the exfiltration of sensitive credentials and private keys from developers utilizing the Polymarket Client SDK. The incident highlights the growing trend of targeted attacks against decentralized finance (DeFi) infrastructure through package repository manipulation.
Vulnerability Overview
On February 24, 2026, the Rust security team identified and removed the crate tracing-check from the crates.io registry. This package was flagged as malware, specifically designed to compromise the development environments of engineers building on the Polymarket platform. The crate was available for approximately four hours before being taken down, during which time it posed a severe risk to any developer who inadvertently included it as a dependency.
The attack methodology relied on typosquatting and social engineering. The name tracing-check was calculated to appear as a legitimate utility or extension of the widely used tracing crate, a standard framework for instrumenting Rust programs. By leveraging a plausible name, the attackers aimed to trick developers into adding the dependency—either through manual error (typing the wrong name) or by assuming it was a valid helper library for their logging infrastructure.
While the download count remained low due to the rapid response, the targeted nature of the malware—specifically focusing on the polymarket-client-sdk ecosystem—indicates a sophisticated threat actor seeking financial gain through cryptocurrency theft rather than untargeted vandalism.
Supply Chain Mechanics
The core of this vulnerability lies in the trust model of package managers like Cargo. When a Rust crate is added to a project, it can execute code at two distinct phases: during compilation (via build.rs scripts) and during runtime. The tracing-check crate leveraged these mechanisms to achieve code execution immediately upon the victim attempting to build their project.
Typosquatting Strategy
Attackers exploited the cognitive load of developers. The tracing ecosystem is vast, with many legitimate sub-crates (e.g., tracing-subscriber, tracing-appender). tracing-check fits the nomenclature of a linting or verification tool for tracing spans. This camouflage reduced the likelihood of scrutiny during code reviews or dependency audits.
Execution Vector
The malicious payload was likely embedded in the build.rs file. In Rust, build.rs is compiled and executed before the main package is built to handle native dependencies or code generation. By placing the malicious logic here, the attackers ensured that mere compilation—often triggered automatically by IDEs or CI/CD pipelines—was sufficient to compromise the host. No explicit function call in the main application logic was required to trigger the exploit.
Malicious Code Analysis
Although the specific source code was removed from the registry, analysis of the campaign reveals the functional behavior of the malware. The payload was engineered to perform Credential Access (T1552) followed by Exfiltration (T1041).
Credential Scaping
The malware scanned the victim's environment for sensitive variables. Given the targeting of Polymarket, the code specifically searched for patterns related to Ethereum wallets and API authentication. Targeted variables likely included:
POLYMARKET_PRIVATE_KEYETHEREUM_PRIVATE_KEYMNEMONIC- AWS or cloud provider credentials typically found in build environments.
Exfiltration Logic
Upon locating potential secrets, the malicious code constructed an HTTP payload. Standard Rust libraries (or included dependencies) were used to transmit this data to an attacker-controlled Command and Control (C2) server. The exfiltration often occurs over HTTPS to blend in with legitimate build traffic (e.g., fetching dependencies).
> [!NOTE]
> The use of build.rs for exfiltration is particularly dangerous because it bypasses runtime sandboxes and often runs with the full privileges of the user invoking cargo build.
Campaign Context & Related Threats
The tracing-check incident was not an isolated event but part of a coordinated campaign identified as RUSTSEC-2026-0019. Security researchers linked this crate to other malicious packages targeting the same ecosystem, including:
polymarkets-client-sdk: A direct typosquat of the official SDK.polymarket-client-sdks: Pluralization typosquat.finch-rust: Exhibited similar credential exfiltration behavior.sha-rust: Likely a trojanized utility crate.
This pattern suggests an attacker systematically seeding the registry with traps for developers working in the decentralized prediction market space. The simultaneous deployment of direct SDK typosquats and utility typosquats (tracing-check) indicates a multi-pronged strategy to maximize the surface area of the attack.
Impact Assessment
The impact of this vulnerability is Critical for any affected entity, despite the limited distribution window. The primary consequence is the total compromise of secret material utilized in the development environment.
Financial Risk
For developers working with the Polymarket SDK, the compromised environment variables often contain private keys holding real assets (USDC, ETH) or managing prediction market positions. Successful exfiltration allows the attacker to drain these wallets immediately or manipulate market positions.
Operational Integrity
Beyond direct financial theft, the compromise of API keys could allow attackers to disrupt services, poison data streams, or pivot further into the victim's cloud infrastructure if cloud credentials were also exposed in the environment context.
Technical Appendix
CVSS Score
Critical/ 10
Affected Systems
Rust Development EnvironmentsCI/CD Pipelines building Rust projectsPolymarket SDK Integrations
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
tracing-check crates.io | * | N/A (Removed) |
| Attribute | Detail |
|---|---|
| Attack Vector | Supply Chain (Typosquatting) |
| CVSS | Critical (Malicious Code) |
| Platform | Rust / crates.io |
| Target | Polymarket SDK Developers |
| Exploit Status | Active / Weaponized |
| Advisory ID | GHSA-5PMP-JPCF-PWX6 |
MITRE ATT&CK Mapping
Vulnerability Timeline
Malicious crate 'tracing-check' published to crates.io
2026-02-24
Crates.io team identifies and removes the crate (approx 4 hours later)
2026-02-24
Advisories RUSTSEC-2026-0019 and GHSA-5PMP-JPCF-PWX6 published
2026-02-24
Campaign linked to Polymarket targeting
2026-02-26
