Researchers found 4.5 million fake stars on GitHub

The platform’s ranking and recommendations lean heavily on stars

Users are being urged to consider much more than just the number of stars

New research has revealed how widespread fake stars are across the GitHub platform, which could prove dangerous by increasing the visibility of malicious repositories associated with scam activity.

Similar to likes on social media, stars allow users to show their support for repositories. The more stars given, the more likely it is to appear in GitHub’s global ranking system and recommendations, extending its reach to more unsuspecting users.

Knowing this, threat actors have now gone on to create automated accounts to artificially star their dodgy repositories to spread malware.

GitHub star ratings helping to spread malware

The company confirms on a help page: “Many of GitHub's repository rankings depend on the number of stars a repository has. In addition, Explore GitHub shows popular repositories based on the number of stars they have.”

A new study published in December 2024 by researchers at Carnegie Mellon University, Socket Inc and North Carolina State University reveals that 4.5 million stars on the platform are believed to be inauthentic. They summarize the problem as a “prevalent and escalating threat happening in a platform central to modern open-source software development,” describing GitHub repositories as the “defacto distribution channels for software components.”

In total, an estimated 4.5 million stars across nearly 23,000 repositories were attributed to 1.32 million accounts, highlighting just how widespread the problem has become on the platform.

The study also noted a rise in fake star activity throughout 2024, with GitHub already taking action to counter dodgy users and repositories.

Previously used as a measure of how good a repository is, GitHub users are now being advised to consider other factors, such as its activity, authenticity and code quality.