The next time you check out a software project on GitHub, don’t assume lots of stars as a quality indicator. A new study conducted by researchers at Carnegie Mellon University, Socket, and North Carolina State University has pointed out how fake stars are used to boost malicious GitHub repositories.
GitHub is one of the most popular sites for hosting software projects and downloads, for everything from Windows Terminal to 7-Zip. People can ‘star’ a repository, which is similar to a ‘like’ on social media platforms, and projects with many stars are sometimes shown in the GitHub home page and other places.
There have been a few reports of malicious actors adding thousands of stars to fake projects to push malware, but a new research paper adds more insight to the problem. It explains fake GitHub stars are sourced from “bots, crowdsourced humans, exchange platforms where users exchange stars for a reward,” and other similar methods. The stars are purchased for “growth hacking,” sometimes to attract VC funding, as well as promoting repositories with malware. The paper explains, “repositories with fake stars gain an unfair advantage in the GitHub popularity contest, which can be then exploited in various ways to harm stakeholders in the software supply chain.”
The researchers built a tool called ‘StarScout’ that scans repositories and GitHub accounts for likely fake stars, using database dumps from the past five years. The output from StarScout estimated that fake star attacks are increasing, and it found about 4.5 million fake stars across all scanned repositories. Some of the projects with fake stars appeared to be “pirated software, game cheats, and cryptocurrency bots,” but with malware hidden in the code.
The paper states, “The amount of fake starring activity has been increasing since 2022 and surged in 2024 (note that the y-axes are log-transformed): Most of the months before 2022 saw at most 10 repositories with fake star campaigns, but the numbers grow to a dozen in 2022 and 2023, and further grow to thousands in 2024. These activities peaked in July 2024 in our dataset, when there were 3,216 repositories with fake star campaigns and 30,779 participating users.”
This is mostly just concerning for software developers, but it does affect anyone using stars on GitHub projects as an indicator of quality, safety, or popularity. If you’re not sure if the app or project you’re looking at is legitimate, check the issues page (the researchers found some malicious repositories with warnings posted by users as issues) and find links to the project on other reputable sites, such as Wikipedia.
Source: 4.5 Million (Suspected) Fake Stars in GitHub via Bleeping Computer
