More than 3 million fake “stars” were used on GitHub projects to boost rankings. A concern?

Tristan Collins
Samsung Galaxy S25 leak suggests Snapdragon 8 Elite chip ahead of January launch 1
Share:

GitHub is dealing with a growing issue of fake “stars” used to falsely boost the popularity of certain repositories, including scams and malware distribution projects. Stars on GitHub work like “Likes” on social media, allowing users to mark repositories they find interesting.

These stars contribute to GitHub’s ranking system and influence the recommendations users see. As GitHub explains, starring repositories or topics can help users discover similar projects and receive personalized suggestions.

This problem isn’t new. Last year, researchers from Check Point exposed the “Stargazers Ghost Network,” a malware delivery system that used fake stars to promote repositories distributing information-stealing malware.

Fake stars aren’t limited to malicious repositories. Some legitimate projects also use them to appear more popular, which can attract genuine users and real stars, increasing their visibility.

A recent study by researchers from Socket, Carnegie Mellon University, and North Carolina State University provides a clearer picture of the issue. They analyzed GitHub data using a tool they developed called “StarScout,” which identified 4.5 million suspected fake stars.

The researchers based their analysis on 20TB of data from GHArchive, which contains metadata from over 6 billion GitHub events between July 2019 and October 2024. This includes 60.5 million user actions, 610 million stars, and data from 310 million repositories.

StarScout flags accounts with suspicious behavior, such as minimal activity, bot-like patterns, or coordinated actions like starring the same repositories within a short time frame. The tool builds on CopyCatch, an algorithm designed to detect fraudulent activities on social networks.

After filtering the data using these methods, the researchers found 4.53 million fake stars generated by 1.32 million accounts across 22,915 repositories. To refine the results, they focused on repositories showing unusual spikes in starring activity and where over 10% of the stars were suspicious. This reduced the count to 3.1 million fake stars from 278,000 accounts targeting 15,835 repositories.

Interestingly, 91% of the repositories flagged and 62% of the suspicious accounts had been deleted by October 2024, which reinforces the accuracy of the StarScout tool. The study also noted a sharp increase in fake star activity in 2024, with 15.8% of repositories having more than 50 stars in July linked to these schemes.

In July 2024, the researchers reported their findings to GitHub, which led to the removal of all flagged repositories and accounts. More clusters were identified in November, and those are still being evaluated.

Fake stars undermine trust in GitHub and the projects hosted on the platform. Users are advised not to rely solely on star counts but to review repository activity, documentation, and contributions. Examining the actual code can also help determine if a project is trustworthy.

Fake repositories remain a common issue on GitHub, sometimes even being used in state-sponsored campaigns. Users should stay cautious when downloading software.

Share: