Fake GitHub stars are being used to inflate malicious repositories
Fake reviews aren’t just for online shopping
GitHub, one of the most popular platforms for software hosting and collaboration, allows users to "star" repositories – a feature similar to "likes" on social media. These stars can serve as indicators of a project's quality or popularity, and can even determine which repositories are showcased on GitHub's homepage.
Researchers say they found over 3.1 million fake stars used to artificially boost the popularity of repositories, including those distributing malware and scams.
"Starring makes it easy to find a repository or topic again later," GitHub says on its website.
"You can see all the repositories and topics you have starred by going to your stars page. You can star repositories and topics to discover similar projects on GitHub.
"When you star repositories or topics, GitHub may recommend related content on your personal dashboard. Starring a repository also shows appreciation to the repository maintainer for their work. Many of GitHub's repository rankings depend on the number of stars a repository has."
This mechanism has become a vulnerability. The researchers found cybercriminals using automated accounts to artificially inflate the star count on malicious repositories.
Working this way, the repositories’ visibility is boosted, which increases the chance of unsuspecting users downloading or integrating harmful code.
The research team’s study describes [pdf] the development of a tool called StarScout to detect repositories and accounts with likely fake stars, analysing GitHub data from the past five years.
Starscout identified suspicious accounts exhibiting minimal activity, bot-like behaviour and coordinated actions, such as simultaneously starring the same repositories.
The researchers found around 4.5 million fake stars across scanned repositories. To ensure the reliability of their findings, they focused on repositories exhibiting a significant anomalous spike in starring activity within a single month, and where fake stars accounted for more than 10% of the total stars.
This refinement narrowed the results to 3.1 million fake stars distributed by 278,000 accounts across 15,835 repositories.
The malicious repositories identified often contained pirated software, game cheats and cryptocurrency bots, with malware hidden in their code.
Fake star campaigns surged in 2024, peaking in July with 3,216 repositories and 30,779 user accounts participating in these campaigns.
"Some repositories may have acquired fake stars for growth hacking, but fake stars only have a promotion effect in the short term (i.e., less than two months) and become a burden in the long term," the researchers noted.
While GitHub has taken steps to remove identified inauthentic accounts and repositories, the problem remains a concern.
The researchers urge users to carefully examine project activity, documentation and code before relying on any software from the platform.