GHSA-382Q-FPQH-29F7: Betting on a Bad Horse: The Malicious `polymarket-clients-sdk` Crate

# security# cve# cybersecurity# ghsa
GHSA-382Q-FPQH-29F7: Betting on a Bad Horse: The Malicious `polymarket-clients-sdk` CrateCVE Reports

Betting on a Bad Horse: The Malicious polymarket-clients-sdk Crate Vulnerability ID:...

Betting on a Bad Horse: The Malicious polymarket-clients-sdk Crate

Vulnerability ID: GHSA-382Q-FPQH-29F7
CVSS Score: 10.0
Published: 2026-02-06

A classic supply chain attack targeting the Rust ecosystem. The package polymarket-clients-sdk appeared on crates.io, masquerading as an official SDK for the popular Polymarket prediction platform. Instead of helper functions for betting, it delivered a payload capable of exfiltrating credentials and compromising developer environments via malicious build scripts. This is a text-book example of Brandjacking combined with the inherent risks of arbitrary code execution during package installation.

TL;DR

A malicious Rust crate impersonating the Polymarket SDK was discovered on crates.io. It executes arbitrary code immediately upon compilation, likely stealing environment variables and private keys. If you installed this, consider your machine compromised and your secrets stolen.

⚠️ Exploit Status: ACTIVE

Technical Details

  • Attack Type: Supply Chain / Malicious Package
  • CWE ID: CWE-506 (Embedded Malicious Code)
  • Platform: Rust / crates.io
  • Attack Vector: Network (masquerading as legitimate software)
  • Mechanism: build.rs arbitrary code execution
  • Privileges: User Level (inherits developer permissions)

Affected Systems

  • Rust Development Environments
  • CI/CD Pipelines building Rust projects
  • Systems with crates.io access
  • polymarket-clients-sdk: * (Fixed in: N/A (Removed))

Mitigation Strategies

  • Vendor verification using cargo-vet
  • Sandboxed build environments (Docker/Firejail)
  • Dependency pinning via Cargo.lock
  • Network restrictions during build time

Remediation Steps:

  1. Identify projects containing 'polymarket-clients-sdk' in Cargo.toml
  2. Remove the dependency immediately
  3. Delete the 'target' directory and Cargo.lock
  4. Assume full system compromise: Rotate all secrets, keys, and environment variables exposed to the machine
  5. Rebuild the host system or container from a clean state

References

Read the full report for GHSA-382Q-FPQH-29F7 on our website for more details including interactive diagrams and full exploit analysis.