- Researchers found 4.5 million fake stars on GitHub
- The platform’s rating and recommendations are largely based on stars.
- Users are urged to consider much more than just the number of stars.
New research has revealed how widespread fake stars are on the GitHub platform, which could be dangerous by increasing the visibility of malicious repositories associated with fraudulent activities.
Like likes on social media, stars allow users to show their support for repositories. The more stars you give, the more likely you are to appear in GitHub’s global ranking system and recommendations, expanding your reach to more unsuspecting users.
Knowing this, threat actors have created automated accounts to artificially highlight their untrustworthy repositories and spread malware.
GitHub star ratings help spread malware
The company confirms this on a help page: “Many of GitHub’s repository rankings depend on the number of stars a repository has. Additionally, Explore GitHub shows popular repositories based on the number of stars they have.”
A new study published in December 2024 by researchers at Carnegie Mellon University, Socket Inc, and North Carolina State University reveals that 4.5 million stars on the platform are believed to be inauthentic. It summarizes the problem as a “frequent and growing threat occurring on a platform central to modern open source software development,” and describes GitHub repositories as the “de facto distribution channels for software components.”
In total, an estimated 4.5 million stars across nearly 23,000 repositories were attributed to 1.32 million accounts, highlighting how widespread the issue has become on the platform.
The study also noted an increase in fake star activity throughout 2024, and GitHub is already taking steps to counter untrustworthy users and repositories.
Previously used as a measure of how good a repository is, GitHub users are now encouraged to consider other factors, such as its activity, authenticity, and code quality.
