Researchers have uncovered widespread manipulation of GitHub’s star-rating system, with over 3.1 million fraudulent stars identified across 15,835 repositories, according to a new study by Socket, Carnegie Mellon University, and North Carolina State University.
The research team analyzed 20TB of data from GHArchive, spanning 6 billion GitHub events from 2019 to 2024, using their “StarScout” detection tool. The tool identified 278,000 accounts engaging in coordinated inauthentic behavior to artificially boost repository rankings.
GitHub uses stars, similar to social media likes, to rank projects and recommend content to users. The platform has previously encountered malicious exploitation of this system, including the “Stargazers Ghost Network” malware operation discovered last summer. Approximately 91% of flagged repositories and 62% of suspicious accounts were removed by October 2024.
