Millions of users of GitHub, the premier online platform for sharing open-source software, rely on stars to establish their software product's credibility. But new research from Carnegie Mellon University's School of Computer Science shows this star-based system has grown star-crossed.
Researchers in the Software and Societal Systems Department found that users increasingly buy or trade for fake stars. Some use their ill-gotten cachet to quickly build up the reputation of repositories, the GitHub homes for software projects. More diabolically, other bad actors use fake stars to attract unsuspecting users so they can steal their cryptocurrency, swipe their credentials or trick them into downloading malicious software.
From July 2019 to December 2024, the CMU researchers counted six million stars on GitHub that appear to be fakes.
"We're not the first people to talk about this, so we weren't surprised to find fake stars that were associated with scams," said Bogdan Vasilescu , an S3D associate professor. "But we were surprised by their volume."
Social media platforms have long used popularity signals — such as stars, likes, followers or retweets — to establish user reputations. And for just as long, some users have boosted their profiles by buying or otherwise acquiring fake, unearned stars or other signals.
"One way to think of the GitHub ecosystem as a whole is as an attention economy, much like social media," Vasilescu said.
GitHub is organized such that each software project resides in its own repository. There are millions of repositories, and they all seek to attract users who might download their software or help further develop a project. In such a competitive enterprise, accumulating stars can be critical.
Fake stars might seem like a shortcut to such acceptance, and various vendors have cropped up to sell them. (Try Googling "buy GitHub stars.") But it's also possible to trade for stars on exchange sites. The use of fake stars on GitHub began growing in 2022 and surged in 2024. At their peak — to date, in July 2024 — more than 16 percent of GitHub repositories were associated with fake star campaigns.
The CMU researchers found that fake star campaigns intended simply to boost the popularity of a repository usually don't work for long. Unfortunately, most fake star campaigns are associated with malicious sites that pose a real security threat.
Some of these scam repositories try to entice someone to download a bit of software — a cheat for a videogame, for example. Launching the software activates a bit of hidden, nasty software. For example, the researchers cite a file that appeared to be a blockchain application but actually stole cryptocurrency from the user.
A more ambitious approach, called a software supply chain attack, involves a piece of malicious code attached to legitimate, widely used software.
"No software these days is written from scratch," Vasilescu said. "We reuse things as much as possible. Every bit of software is built upon other bits of software."
These packages of reused and overlapping bits of software constitute the software supply chain. A bit of nefarious software inserted in the right place can affect a substantial number of applications downstream in the supply chain.
Last year, computer scientists uncovered a software supply chain attack that came to be known as the XZ Backdoor. A fraudster gained access to XZ Utils, a package of compression/decompression software that has been incorporated into many computer systems. The fraudster added hidden software that created a "backdoor" that enabled unauthorized access to any computer system using this modified software.
"XZ Backdoor was the most famous attack of this kind to date and also the most elaborate," Vasilescu said.
The perpetrator spent about two years earning the trust of the people who controlled the XZ Utils repository until he was given authorization to modify the code. The scheme was cut short, however, when a Microsoft software engineer discovered the backdoor while investigating the cause of unusual software test results.
While the XZ Backdoor supply chain attack was not propped up by fake stars, it illustrates how vulnerable open-source software can be when nefarious actors are involved. Fake stars muddy the waters when trying to differentiate the good from the bad.
To study the fake star phenomenon, the researchers — including Hao He , a Ph.D. student in software engineering, and Christian Kästner , an associate professor in S3D — created a tool called StarScout that scans GitHub activity looking for anomalous behaviors.
The behaviors of interest fall into two categories. One is an account that has little activity and often has empty profiles and default avatars. The other behavior involves large groups of accounts that seem to act in lockstep, all awarding stars within a short time span.
This latter category seems to identify accounts linked with star vendors, Vasilescu said.
"It's necessarily the case that if you're one of these merchants, the delivery of fake stars happens quickly because otherwise you would have a dissatisfied customer," he explained.
What's to be done about the fake star problem? The researchers suggest that reducing the reliance on stars for GitHub's reputation system would make sense. Another approach might be to not count everyone's stars equally. Perhaps only users who have held accounts for a long time or have otherwise established their own reputations should be allowed to issue stars.
Vasilescu said that regular use of a tool such as StarScout would also be advisable. In this case, the people who run GitHub have advantages in using such tools. Unlike the CMU researchers, who could only access public data, GitHub operators can access private data, such as user IP addresses.
The research team's report on StarScout and GitHub fake stars has been accepted for the 2026 International Conference of Software Engineering . In addition to He, Vasilescu and Kästner, the team included Haoqin Yang, an undergraduate CMU computer science major; Alexandros Kapravelos, a computer scientist at North Carolina State University; and Philipp Burckhardt, a data scientist with Socket Inc., a cybersecurity firm that specializes in software supply chain attacks.
Risk Warning: Cryptocurrency is a unregulated virtual notoriously volatile instrument with a high level of risk. Any news, opinions, research, data, or other information contained within this website is provided for news reporting purposes as general market commentary and does not constitute investment or trading advice.
