RustSec, crates.io remove typosquatting tracings, tracing_checks stealing API keys, installing backdoors

Two malicious crates that mimicked the tracing ecosystem were removed from crates.io after they were reported to RustSec and the crates.io security team, with advisories RUSTSEC-2026-0027 and RUSTSEC-2026-0028 documenting the action. The LinkedIn reporter who found the packages said the payloads targeted Polymarket bot developers, exfiltrated API keys and .env credentials, installed a persistent backdoor on Linux, and left a hidden executable on Windows, framing the activity as part of an organized campaign.

The LinkedIn post was explicit: “Earlier today I identified and reported two malicious Rust crates on crates.io: tracings and tracing_checks. Both have been removed and issued official advisories (RUSTSEC-2026-0027, RUSTSEC-2026-0028). The crates were typosquatting the popular tracing ecosystem and targeting developers building Polymarket bots. The payload stole API keys and .env credentials, with a persistent backdoor dropped on Linux and a hidden executable on Windows. This is part of an organized campaign. Polymarket bot developers and users are high-value targets and their API keys have direct financial value, and there's a large wave of developers actively building automated trading tooling right now (especially after polymarket-cli was released).”

Sonatype’s analysis identified a separate typosquat named rustdecimal that used XOR-based obfuscation to hide code that downloaded malware and targeted both Linux and macOS. Sonatype noted that the authentic rust_decimal has been downloaded over 3,478,217 times, and assigned the malicious package the identifier sonatype-2022-2788 after Juan Aguirre “pinpointed the place in the typosquat where the malware resides.” Sonatype also relayed a contested download story: one user reported seeing over 100,000 downloads for a single malicious version, while Rust’s security team “realistically attributes most of these to bots, and states the malicious versions actually gathered fewer than 500 downloads.”

Registry response was swift and documented. As the Rust Security Response Working Group put it, “To protect the security of the ecosystem, the crates.io team permanently removed the crate from the registry as soon as it was made aware of the malware. An analysis of all the crates on crates.io was also performed, and no other crate with similar code patterns was found.” Sonatype reported that the working group also notified GitLab’s security team and Namecheap, the registrar connected to the crate’s pages domain, and that Sonatype retained a copy of the sample in its malware archives for further study.

This wave of March 3–5 removals sits alongside prior incidents showing a pattern: faster_log and async_println were deleted on September 24, 2025 after runtime-executed payloads that searched for Ethereum and Solana private keys were discovered, and finch-rst, removed under RUSTSEC-2025-0150, had one version published on 2025-12-08 and was downloaded 21 times. Web3-focused packages evm-units and uniswap-utils, published in April and present for eight months before removal, logged 7,257 and 7,441 downloads respectively and were described by Socket Threat Research as downloading payloads aimed at stealing cryptocurrency.

Crates.io, RustSec, Sonatype, and preservation teams have retained samples and logs to support deeper analysis: rust-lang’s incident notes say malicious crate files and logs were preserved, and Sonatype kept the rustdecimal sample under sonatype-2022-2788. The combination of targeted tooling (Polymarket bots), OEM-level payloads (Linux backdoors and hidden Windows executables), and repeated typosquatting incidents shows the registry remains an attractive vector for financially motivated actors, and security teams continue to triage, remove, and archive malicious packages as they surface.