GitHub has a major problem with fake rankings, which puts users at risk of attack
- Researchers found 4.5 million fake stars on GitHub
- The platform’s ranking and recommendations rely heavily on stars
- Users are urged to consider much more than just the number of stars
New research has revealed the prevalence of fake stars on the GitHub platform, which could be dangerous by increasing the visibility of malicious repositories linked to scam activities.
Just like social media likes, stars allow users to show their support for repositories. The more stars it gives, the more likely it is to appear in GitHub’s global ranking system and recommendations, expanding its reach to more unsuspecting users.
Knowing this, threat actors have now continued to create automated accounts to artificially star their untrustworthy repositories to spread malware.
GitHub star ratings help spread malware
The company confirms on a help page: “Many of GitHub’s repository rankings depend on the number of stars a repository has. Additionally, Explore GitHub shows popular repositories based on the number of stars they have.”
A new one study published in December 2024 by researchers from Carnegie Mellon University, Socket Inc and North Carolina State University reveals that 4.5 million stars on the platform are believed to be inauthentic. They summarize the problem as a “prevalent and escalating threat taking place on a platform at the heart of modern open-source software development,” describing GitHub repositories as the “de facto distribution channels for software components.”
In total, an estimated 4.5 million stars across nearly 23,000 repositories were attributed to 1.32 million accounts, underscoring how widespread the problem has become on the platform.
The study also found an increase in fake star activity by 2024, with GitHub already taking action to combat untrustworthy users and repositories.
Formerly used as a measure of how good a repository is, GitHub users are now advised to consider other factors such as its activity, authenticity, and code quality.