The editorial argues the keyword-stuffed READMEs are the visible surface of a repeatable wallet-drainer playbook that's been running for 18+ months. The actual code typically requires API keys with withdrawal permissions or seed phrases, then exfiltrates credentials to a remote endpoint controlled by the repo author, draining wallets before the first 'trade' completes.
The editorial observes that the repos track hot venues: Hyperliquid ($1.5T cumulative perp volume), AsterDEX (Solana perp darling), and Polymarket (billion in election volume). When a new DEX trends, the corresponding bot repos trend — indicating coordinated targeting of whichever platform is attracting fresh retail capital.
Published a Hyperliquid-targeted repo with a README consisting only of repeated keyword phrases like 'hyperliquid trading bot, perp trading bot, hyperliquid profitable trading bot' — no code description, install steps, or license, fitting the pattern of venue-matched wallet drainer bait.
Targets AsterDEX with the same keyword-stuffing template, repeating 'asterDEX trading bot, perp trading, asterDEX auto trading bot' as the entire README. The venue choice tracks the current Solana perp trend rather than reflecting any actual trading product.
Targets Polymarket with the identical keyword-stuffing playbook, indicating the prediction-market venue is being treated the same as perp DEXes once it crossed the billion-dollar volume threshold. The repo's structure matches the wallet-drainer template described in the editorial.
Another Polymarket-targeted repo using the same template, suggesting multiple actors (or one actor with multiple accounts) running the playbook in parallel against the same trending venue. The duplication across pseudo-orgs is itself evidence of coordinated venue-rotation tactics.
The editorial acknowledges the surface story — that pure keyword repetition in READMEs is enough to surface repos on GitHub Trending with scores in the high 300s — has been covered. Accounts created the same month with no commit history beyond an initial push are reaching trending status purely through algorithmic gaming.
Published a repo named 'weather-prediction-bot' whose README is just 'polymarket trading bot' repeated fifteen times — a mismatch between repo name and README content that exposes how thoroughly the trending algorithm can be manipulated by raw keyword density alone, regardless of coherence.
Three GitHub repositories — `Novaquant-labs/hyperliquid-trading-bot`, `SigmaTradeLabs/aster-bot`, and `BlackCandleLab/polymarket-trading-bot` — surfaced on GitHub Trending this week with scores in the high 300s. Each README is the same construction: a single phrase like *"hyperliquid trading bot, perp trading bot, hyperliquid profitable trading bot"* repeated twelve to fifteen times. No code description, no install steps, no license, no commit history beyond an initial push from an account created in the same month.
The surface story — that keyword stuffing games GitHub's discovery algorithm — got covered. The story underneath is that these aren't SEO experiments. They're a specific, repeatable wallet-drainer playbook that's been running on GitHub for at least eighteen months, and the venues just rotate as new perp DEXes get hot.
Hyperliquid did $1.5T in cumulative perp volume by Q1 2026. AsterDEX is the current darling of the Solana perp crowd. Polymarket cleared a billion in election volume. The repos track the venues. When a new DEX trends, the bots trend.
The README spam is the part that's visible. The part that isn't visible — because nobody clones these and posts a postmortem — is what the actual code does once you run it.
The pattern, when researchers have bothered to look, is consistent. The repo ships with a `config.example.json` or `.env.template` requiring an exchange API key with withdrawal permissions, or a wallet private key, or a seed phrase for "gasless signing." There's usually a Telegram link for "premium signals." The actual trading logic is either absent, copied from a public tutorial, or — most commonly — a thin wrapper that calls a remote endpoint controlled by the repo author. The remote endpoint receives your credentials within seconds of the bot starting; the wallet is drained before the first "trade" completes.
Why crypto perp bots specifically? Three structural reasons. First, the victim profile is exquisite: someone who wants to run an algorithmic trading bot has, by definition, an account funded with money and an API key with trade permissions. Second, the loss is unrecoverable — there's no chargeback on a drained Hyperliquid account. Third, the moral frame favors the attacker. Victims who got rugged trying to run a "profitable bot" don't post detailed writeups, because the implicit accusation is *you were trying to use someone else's edge*. The shame keeps the postmortems off Twitter, which keeps the next batch of repos viable.
Compare this to the equivalent attack vector in npm or PyPI, where Sonatype, Phylum, and Socket run continuous scanners and a malicious package gets yanked within hours. GitHub Trending has nothing equivalent. The signals to detect these are trivial — account age under 30 days, README with cosine similarity to a dozen other repos, zero forks but hundreds of stars from accounts also created in the last 30 days, no commit history depth — but no enforcement layer consumes them.
The community reaction has been muted because everyone who's been around long enough has internalized that GitHub Trending is unusable. The criticism that lands isn't "GitHub got tricked" — it's "GitHub stopped caring about Trending as a product around 2019 and the spam economy filled the vacuum." When a discovery surface gets abandoned by its owner, it gets colonized by whoever monetizes attention there. Right now that's crypto drainers.
If you're vetting any open-source trading, DeFi, or wallet-adjacent tooling, run the four-line filter before you even read the README. Account created in the last 90 days, zero or near-zero commit history depth, README that reads like a keyword bid sheet, and stars that arrived in a single 48-hour window — any two of those four and you close the tab. These criteria are mechanical enough to script. If you're building security tooling, this is a layup feature.
For anything that touches exchange APIs or wallets, raise your baseline. Require the repo to be older than the venue it claims to trade on. Require at least one named maintainer with an independent web presence. Require commit history that shows iteration, not a single initial dump. Require an open issue tracker with answered questions from real users. The repos that actually make money trading perps don't end up on GitHub Trending — they end up private, or in proprietary funds. The selection bias is brutal: a public, trending, "profitable" trading bot is a contradiction in terms. If the edge were real, it wouldn't be free, and if it were free, it wouldn't be edge.
For your team's onboarding docs, add this to the security section: clone-and-run from GitHub Trending is the new "open the email attachment." Junior engineers experimenting with crypto bots on weekends are the highest-risk vector, because the trust signal of "on Trending" is doing work it shouldn't.
The venues will keep rotating. Whatever perp DEX or prediction market trends next quarter will get its own keyword-stuffed bot repo on Trending within a week of breaking out. The fix isn't subtle — GitHub could ship the heuristics in a sprint — but the incentive to ship them isn't there until either a high-profile drainer victim sues or a regulator notices that the world's largest code host is a distribution channel for credential-stealing malware. Bet on the latter happening first, sometime in 2026. Until then, assume Trending is a honeypot and use stars-from-people-you-follow as your only real signal.
polymarket trading bot, polymarket trading bot, polymarket trading bot, polymarket trading bot, polymarket trading bot, polymarket trading bot, polymarket trading bot, polymarket arbitrage bot, polyma
→ read on GitHubhyperliquid trading bot, perp trading bot, hyperliquid profitable trading bot, hyperliquid trading bot, perp trading bot, hyperliquid profitable trading bot, hyperliquid trading bot, perp trading bot,
→ read on GitHubasterDEX trading bot, perp trading, asterDEX auto trading bot, asterDEX trading bot, perp trading, asterDEX auto trading bot, asterDEX trading bot, perp trading, asterDEX auto trading bot, asterDEX tr
→ read on GitHubpolymarket trading bot polymarket trading bot polymarket trading bot polymarket trading bot polymarket trading bot polymarket trading bot polymarket trading bot polymarket trading bot polymarket tradi
→ read on GitHubpolymarket trading bot, polymarket arbitrage bot, polymarket trading bot, polymarket arbitrage bot, polymarket trading bot, polymarket arbitrage bot, polymarket trading bot, polymarket arbitrage bot,
→ read on GitHubTop 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.