sign in with GitHub
TrustOSS logo

$ less blog/six-million-fake-github-stars.md

Six Million Fake GitHub Stars: Why Star Counts Lie and How to Audit Them

2026-07-13 · 7 min read · github / fake stars / supply chain security / open source

Every developer uses star counts as a shortcut. Two libraries solve the same problem; one has 12,000 stars, the other has 800 — most of us pick the first one without thinking twice. That shortcut is exactly what makes stars worth faking, and the faking is now happening at industrial scale.

A research team from Carnegie Mellon University, Socket, and North Carolina State University measured just how industrial. Their paper, “Six Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Spams, and Malware” (He, Yang, Burckhardt, Kapravelos, Vasilescu, and Kästner), scanned GitHub activity from 2019 to 2024 with a detector called StarScout and found roughly 6 million suspected fake stars — about 3.8 million of them surviving conservative post-processing — spread across 18,617 repositories and involving 301,000 accounts.

## The market for fake credibility

Buying stars is neither hard nor expensive. Merchants openly sell them in batches of 50 or 100, and the paper documents a surge of campaign activity through 2024: by July 2024, 16.66% of repositories that trended into popularity that month (3,499 of them) showed evidence of a fake star campaign. At the peak in March 2024, 6.59% of all star-giving accounts — 117,024 accounts — were participating in coordinated campaigns.

What are those stars promoting? Mostly not ambitious startups gaming a leaderboard. The study found that most fake stars promote short-lived phishing and malware repositories — fake game cheats, cracked software, crypto bots — with the remainder boosting AI/LLM projects, blockchain tools, and tutorial repos. A star count is a trust signal, and malware distributors have learned to buy trust directly.

## How researchers spot a bought star

StarScout flags two complementary signatures:

  • -The empty-account signature. An account stars exactly one repository, performs at most one other action on the same repo the same day, and then goes silent forever. Real developers leave footprints: repos, issues, follows, years of scattered activity. Rented accounts do not.
  • -The lockstep signature. Clusters of at least ~50 accounts starring the same set of 10+ repositories inside the same 30-day window. Organic interest does not move in convoys; botnets do.

GitHub's own enforcement confirms the findings: 90.42% of the flagged repositories and 57.07% of the flagged accounts had already been deleted by the end of the study — against a baseline deletion rate of about 5% for normal repos.

## Fake stars work — briefly — then poison the repo

The paper's regression analysis shows fake stars only have a promotion effect in the short term (less than two months) and become a liability in the long term.

That short window is all a malware campaign needs: trend, infect, delete, repeat. But for anyone choosing a dependency, the implication is different: a star count on its own tells you almost nothing trustworthy about a young repository — precisely the repositories where you need the signal most.

## How to audit a repository's stars yourself

The good news: the same signals researchers use are visible on any public repo, if you look past the number.

  • -Plot the growth curve. Organic projects grow in slopes and news-driven steps. A vertical cliff of thousands of stars in days, on a repo with no matching release or launch, is a campaign fingerprint.
  • -Sample the stargazers. Open the profiles of the people who starred recently. Accounts created last month, zero followers, zero or one repository, no activity — that is the empty-account signature in the wild.
  • -Weigh stars against everything else. 10,000 stars with 12 forks, 3 contributors, and no dependent packages is a shape that organic projects almost never have.

TrustOSS automates exactly this audit. Run any repository through the analyzer and hit $ ./star-audit --run: it draws the star history curve, profiles the most recent stargazers (account age, followers, repositories), classifies each one — veteran, active developer, newcomer, or empty profile — and tells you when the audience looks rented. The deep scan adds the structural checks: real dependents from deps.dev, contributor concentration, CI health, and known vulnerabilities from OSV.

## The takeaway

Stars were designed as a bookmark, got repurposed as a reputation system, and are now a market. The numbers say the quiet part out loud: six million of them are probably fake, and the fakes cluster exactly where trust matters most — new, fast-rising repositories. Popularity is not proof. Audit the audience, not the applause.

# audit any repository's stars and health in seconds

$ trustoss --analyze