In a study conducted by researchers from Carnegie Mellon University, North Carolina State University, and Socket, the integrity of GitHub’s star-rating system has been called into question. The team revealed an alarming surge in fraudulent “stars,” which are used to manipulate the perceived popularity of repositories on the world’s leading open-source platform.
Using a detection tool named StarScout, the study systematically analyzed over 20 terabytes of GitHub metadata, identifying over 4.5 million suspected fake stars spanning more than 15,000 repositories. The researchers detailed that such stars are frequently employed to amplify short-lived malware campaigns or falsely inflate the visibility of repositories, often masquerading as game cheats, cryptocurrency bots, or pirated software.
GitHub stars serve as a vital popularity signal, influencing developers’ choices and even decisions within the software supply chain. However, these stars have become an easy target for abuse. As the researchers noted, “the star count is the most widely used popularity signal, but it is also at risk of being artificially inflated (i.e., faked), decreasing its value as a decision-making signal and posing a security risk to all GitHub user.”
The study uncovered a variety of fraudulent behaviors, including:
- Bot Networks: Automated accounts generating stars en masse.
- Crowdsourced Manipulation: Human-operated schemes that mimic authentic activity.
- Fake Growth Hacking: Strategies to inflate star counts for non-malicious repositories seeking visibility.
Malicious repositories benefiting from fake stars pose a tangible threat. As the researchers highlighted, “The majority of fake stars are used to promote short-lived malware repositories masquerading as pirating software, game cheats, or cryptocurrency bots.” In one striking case, a repository that falsely claimed to be a blockchain utility was found to contain heavily obfuscated malware designed to steal cryptocurrency.
The analysis revealed that these fake star campaigns peaked in 2024, with over 15.8% of repositories gaining 50 or more stars involved in fraudulent activity during July of that year. Many of these repositories were deleted following detection, but the scale of the issue underscores the urgent need for countermeasures.
To combat this growing problem, the researchers developed StarScout, a scalable tool capable of identifying anomalous patterns in starring behavior. It leverages two core detection strategies:
- Low Activity Signature: Identifies accounts that star a minimal number of repositories before becoming inactive.
- Lockstep Signature: Detects coordinated activity by groups of accounts targeting specific repositories within short timeframes.
This approach enabled the team to uncover repositories with a high concentration of fake stars while minimizing false positives.
The findings call into question the reliability of GitHub stars as a signal of quality or trustworthiness. “Star count is an unreliable signal of quality and should not be used for high-stakes decisions,” the researchers cautioned, advocating for a multi-faceted evaluation of repositories that includes activity metrics and security audits.
For GitHub’s platform moderators, the study suggests adopting weighted popularity metrics and enhancing detection mechanisms to better identify and neutralize fraudulent campaigns. As software supply chains increasingly rely on open-source components, ensuring the integrity of trust signals like stars is paramount.
Related Posts:
- Star Blizzard: A Russia-Based Actor Targeting NATO and Beyond
- ADGUARD: Big Star Labs develop multiple apps and browser extensions for stealing private information
- July PYPL PopularitY of Programming Language: Python and Java gradually widened the gap
