Over 3.1 Million Fake ‘Stars’ on GitHub Projects Used To Boost Rankings

Researchers found Extensive manipulation of GitHub’s star rating systemAccording to a new study by Socket, Carnegie Mellon University, and North Carolina State University, more than 3.1 million scam stars were discovered in 15,835 repositories.

The research team used their “StarScout” detection tool to analyze 20TB of GHArchive data, covering 6 billion GitHub events from 2019 to 2024. The tool identified 278,000 accounts involved in coordinating inauthentic behavior to artificially boost repository rankings.

GitHub uses stars similar to social media likes to rank projects and recommend content to users. The platform has previously experienced malicious exploitation of the system, including the “Stargazers Ghost Network” malware operation discovered last summer. By October 2024, approximately 91% of flagged repositories and 62% of suspicious accounts have been removed.