Severity: Critical
CVSS Score: 10
It appeared to be typosquatting existing crate [`polymarket-client-sdk`](https://crates.io/crates/polymarket-client-sdk) (`clients` vs `client`) and attempting to steal credentials from local files. The malicious crate had 6 versions published on 2026-02-05 and had been downloaded only 59 times. There were no crates depending on this crate on crates.io. Polymarket thanks [Socket.dev](https://socket.dev/) for detecting and reporting this to the crates.io team!