GHSA-382Q-FPQH-29F7: Betting on a Bad Horse: The Malicious `polymarket-clients-sdk` Crate

Source: Dev.to

Overview

Vulnerability ID: GHSA-382Q-FPQH-29F7
CVSS Score: 10.0
Published: 2026-02-06

A classic supply‑chain attack targeting the Rust ecosystem. The crate polymarket‑clients‑sdk appeared on crates.io, masquerading as an official SDK for the Polymarket prediction platform. Instead of providing helper functions for betting, it delivered a payload capable of exfiltrating credentials and compromising developer environments via malicious build scripts. This is a textbook example of brandjacking combined with the inherent risks of arbitrary code execution during package installation.

Technical Details

• Attack Type: Supply Chain / Malicious Package
• CWE ID: CWE‑506 (Embedded Malicious Code)
• Platform: Rust / crates.io
• Attack Vector: Network (masquerading as legitimate software)
• Mechanism: build.rs arbitrary code execution
• Privileges Required: User level (inherits developer permissions)

Affected Environments

• Rust development workstations
• CI/CD pipelines building Rust projects
• Systems with access to crates.io

Impact

The malicious crate executes arbitrary code immediately upon compilation, likely stealing environment variables, private keys, and other secrets. If the crate was installed, the machine should be considered compromised and all exposed secrets rotated.

Mitigation and Remediation

1. Identify any projects containing polymarket-clients-sdk in their Cargo.toml.
2. Remove the dependency immediately.
3. Delete the target directory and the Cargo.lock file to purge compiled artifacts.
4. Assume full system compromise: rotate all secrets, keys, and environment variables that were accessible on the machine.
5. Rebuild the host system or container from a clean state.

Preventive Measures

• Use vendor verification tools such as cargo-vet.
• Build in sandboxed environments (e.g., Docker, Firejail).
• Pin dependencies via Cargo.lock.
• Apply network restrictions during build time to limit external fetches.

References

• GHSA-382Q-FPQH-29F7 Advisory
• Rust Documentation: Build Scripts
• Full report for GHSA-382Q-FPQH-29F7 (includes interactive diagrams and full exploit analysis)