A new study is shedding light on fake GitHub stars being added to boost malicious repositories. So the next time you see a new software project, don’t base your ratings on stars as they might no longer be too reliable for quality indicators.
The study carried out by researchers from the North Carolina State University shed light on how fake stars were commonly used. This is despite the fact how popular GitHub is in terms of hosting software plans and downloads.
People get the chance to star repositories that are quite similar to likes on a social media app. Since there are so many projects, they’re on display on home pages and in different locations. Several reports did speak about malicious actors putting out thousands of stars on projects that don’t exist in real just so they could spread malware.
A new research shared more on this front including how these get support from bots and humans being crowdsourced. The same goes for some exchange platforms where users get the chance to exchange their stars for another reward.
Most stars are used for matters like growth hacking and these can end up attracting VC funds while encouraging more malware-infested repositories. The study goes on to explain more about how repositories featuring fake stars attain the most unfair advantages inside GitHub’s popular content. This further gets exploited in different ways and stakeholders are harmed inside the entire software chain.
To gain more insights, the authors came up with a new tool dubbed StarScout which scans repositories as well as GitHub accounts, looking for fake stars. They use database dumps featuring data from previous years.
The results showed how fake attacks featuring unreliable or fake stars were on the high and so far, it’s confirmed that 4.5M fake stars were featured throughout different repositories. Such projects tend to pop up to include pirated software, crypto bots, and game cheats. However, the malware remains hidden inside this code.
The study also adds how the number of fake starring was on the rise since 2022 and then hit peak in 2024. The campaigns keep increasing and went to a new high in 2024. The activities rose in July of 2024 where fake star campaigns were high and nearly 30K people were participating.
The news is very worrisome for some software developers. However, it does impact anyone and everyone using these forms of ratings for projects. Remember, it’s a great indicator of safety, popularity, and even good quality. But in situations when you have a gut instinct that something does not look real, search for the issues page. This will feature links for projects on different sites that you can trust like Wikipedia for instance.
Image: DIW-Aigen
Read next: Chinese Short Video Market Shows Decline In Short Video Users For The First Time
The study carried out by researchers from the North Carolina State University shed light on how fake stars were commonly used. This is despite the fact how popular GitHub is in terms of hosting software plans and downloads.
People get the chance to star repositories that are quite similar to likes on a social media app. Since there are so many projects, they’re on display on home pages and in different locations. Several reports did speak about malicious actors putting out thousands of stars on projects that don’t exist in real just so they could spread malware.
A new research shared more on this front including how these get support from bots and humans being crowdsourced. The same goes for some exchange platforms where users get the chance to exchange their stars for another reward.
Most stars are used for matters like growth hacking and these can end up attracting VC funds while encouraging more malware-infested repositories. The study goes on to explain more about how repositories featuring fake stars attain the most unfair advantages inside GitHub’s popular content. This further gets exploited in different ways and stakeholders are harmed inside the entire software chain.
To gain more insights, the authors came up with a new tool dubbed StarScout which scans repositories as well as GitHub accounts, looking for fake stars. They use database dumps featuring data from previous years.
The results showed how fake attacks featuring unreliable or fake stars were on the high and so far, it’s confirmed that 4.5M fake stars were featured throughout different repositories. Such projects tend to pop up to include pirated software, crypto bots, and game cheats. However, the malware remains hidden inside this code.
The study also adds how the number of fake starring was on the rise since 2022 and then hit peak in 2024. The campaigns keep increasing and went to a new high in 2024. The activities rose in July of 2024 where fake star campaigns were high and nearly 30K people were participating.
The news is very worrisome for some software developers. However, it does impact anyone and everyone using these forms of ratings for projects. Remember, it’s a great indicator of safety, popularity, and even good quality. But in situations when you have a gut instinct that something does not look real, search for the issues page. This will feature links for projects on different sites that you can trust like Wikipedia for instance.
Read next: Chinese Short Video Market Shows Decline In Short Video Users For The First Time
