GitHub for several years has had a problem with fake stars being used to artificially boost the popularity of code repositories, particularly those containing malware or used for scams. A recent report shows just how big a problem this is and how it rapidly expanded in 2024.
An analysis by Carnegie Mellon University, North Carolina State University, and developer-focused security platform firm Socket found that about 4.5 million stars on GitHub are inauthentic, a situation that the authors wrote is a “prevalent and escalating threat happening in a platform central to modern open-source software development.”
“Despite its wide prevalence and rising popularity, our findings have also revealed its shady nature: fake stars are at worst, used to spread malware in short-lived repositories, and at best, used as a short-term promotional tool, which does not bring long-term returns,” they wrote.
Stars on code repositories are like “likes” on social media, used to promote and increase the popularity of repositories and the developers behind them. The system can be gamed by using fake stars to inauthentically grow the presence of repositories and in recent years, cybersecurity researchers have found bad actors using fake stars to promote code repositories that contain malware, adding fuel to an accelerating trend of software supply chain threats.
A Problem Years in the Making
Checkmarx in late 2023 wrote that “the growing demand for artificially boosting one’s presence in this thriving community has led to the emergence of a massive black market, with online stores and chat groups openly selling GitHub stars.”
Researchers with Dagster, a data orchestrator vendor for data engineers, earlier that year wrote that those looking to buy GitHub stars didn’t need to go to the dark web; they found dozens of such services through a Google search. They found one repository with 24 fake stars attached.
The authors of the most recent report also found star-selling services on Google, selling stars for 10 cents to $2 a piece and promising to deliver the stars in hours or days.
“These bought GitHub stars … corrupt the already-limited value of the GitHub star count as a decision-making signal for stakeholders in the software supply chain and may pose a security threat to all GitHub users,” they wrote.
Surge of Activity in 2024
To better measure the problem, they built StarScout, a tool for detecting fake starring behaviors – like low activity and lockstep trends – across GitHub and found that such activities surged in 2024 and that most were used to promote short-lived malware repositories that were posing as pirating software, game cheats, or cryptocurrency bots.
They also wrote that the characteristics in profiles of fake stargazers are similar to those of average GitHub users but that many have “highly abnormal activity patterns.” In addition, fake stars used to promote the growth of a repository typically help for fewer than two months before becoming a burden, the researchers wrote.
Looking back five years, the use and impact of fake stars were limited until last year, when StarScout detected fake stars in 15.84% of repositories with about 50 stars.
The same month, Check Point wrote about a threat group, Stargazer Goblin, that was behind a network of GitHub accounts they called the Stargazers Ghost Network that distributed malware and malicious links via phishing repositories in GitHub and used techniques – including starring – to make them appear legitimate. The network, which comprised more than 3,000 such accounts, distributed such malware as Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer and RedLine.
A Software Supply Chain Threat
“From a security perspective, our analysis of fake stars confirms the public perception that malicious activities are becoming increasingly common in the current software supply chain,” the university and Socket researchers wrote in their 18-page report. “What’s more, we showcase how scams and malware can be promoted through fake signals in GitHub, reflecting the issues seen on social media but in a unique high-stake scenario.”
The report adds to the growing body of evidence of the increasing use of fake stars for malicious purposes and puts greater pressure on developers to validate the source of software components before using them.
The researcher reiterated the “critical need for vigilance in assessing other repository signals beyond star counts” and also urged the development of better ways to signal the popularity of repositories and developers. In addition, there needs to be more research on spam, fraudulent, and other malicious activities in the software supply chain, particularly given the risk of social engineering attacks, they wrote.