The 'Collaborator' Trap: Why You Should Never 'Test' a Friend's Bot

Executive Summary: Social engineering isn't just about fake jobs. It's about fake friendship. This article explores the "Help Me Fix This Bug" scam on Discord and Telegram, where attackers trick developers into cloning malicious repos under the guise of collaboration.

---

---

1. The Setup: "Can You Help Me With This Bug?"

You are in a Discord channel for a popular Web3 library (e.g., Ethers.js or Hardhat). A user sends a DM or posts in general chat:

"Hey dev, I'm building an arbitrage bot but I'm getting a weird gas error on Sepolia testnet. Can you take a look? I'm stuck."

They don't ask for money. They don't ask for your seed phrase. They appeal to your curiosity and your willingness to help.

They send a GitHub link. It looks like a standard hardhat project.

2. The Payload: The "Test" Script

You clone the repo. You check the contracts/ folder. The Solidity code looks fine—maybe a bit messy, but safe.

The scammer says: "Just run the test script, you'll see the error."

You type:

npm install

npx hardhat test

Game Over.

While the test runs and prints a fake "Gas Error" to the console, a background process (hidden in a slightly modified dependency or a test.js file) has already:

1. Scanned your ~/.config folder.
2. Found your browser_data (Chrome/Brave local state).
3. Decrypted your saved passwords and MetaMask vault.
4. Uploaded the bundle to a remote server.

3. The "Game Tester" Variation

Another common variant targets gamers:

"I'm building a Web3 game (like Axie/Pixels) and need beta testers. I'll pay you $100 ETH just to play for 20 mins."

They send you an .exe or a Setup file.

The Scam: The game is real (often a stolen Unity template), but the installer drops a "Clipper" malware.

• Clipper Malware: It monitors your clipboard. When you copy a wallet address to make a transfer, it instantly swaps the address with the hacker's address. You unknowingly send funds to the attacker.

4. How to Spot the "Collaborator"

• The "Private" Repo: Legitimate open-source help happens on public issues, not private DMs or ZIP files.
• Obfuscated Code: If you see a file in the repo (like lib/utils.js) that is one long line of random characters (var _0x5a1...), delete it immediately.
• The "Urgency" to Run: If they get impatient when you say "I'm reading the code first," block them.

5. Defense Protocol: The Sandbox

Never "help" a stranger on your main machine.

1. Use Replit / CodeSandbox: Import their repo into a cloud environment. If it contains malware, it infects the cloud container, not your PC.
2. VM Isolation: As mentioned in our Contagious Interview guide, use a Virtual Machine for any code you didn't write yourself.
3. Audit scripts: Always read package.json scripts before running npm install.

See Also: Beware of "Get Rich Quick" bot tutorials on YouTube. They are often MEV Bot Scams in disguise.

Conclusion

In the open-source world, trust is earned, not given. A "buggy bot" is the oldest trick in the book. If someone needs help, ask them to post a CodeSnippet or a Gist—never clone a stranger's repo.