Researchers from the School of Computer Science at Carnegie Mellon University have unveiled the results of a large-scale analysis revealing that GitHub’s “star” system—long regarded as a measure of a project’s popularity and trustworthiness—has been severely compromised by widespread manipulation. Between July 2019 and December 2024, they documented nearly six million fraudulent stars masquerading as genuine endorsements.
The study shows that this trend began accelerating in 2022 and peaked in July 2024, when more than 16% of repositories were linked to campaigns artificially inflating their star counts. Service providers offer both direct purchases and exchanges on specialized platforms. While many of these schemes aim simply to fabricate the appearance of popularity, a substantial share is tied to far more dangerous operations. With fake stars, attackers are able to push projects into prominence—projects that may steal cryptocurrency, harvest login credentials, or disguise malicious code as legitimate software.
In one case, victims were lured into installing a supposed blockchain application that was, in reality, a trojan designed to siphon funds from accounts. Another attack vector involved the software supply chain: malicious fragments were inserted into popular libraries, ensuring they spread across a wide range of dependent projects. The researchers drew parallels to last year’s XZ Backdoor incident, where an attacker spent nearly two years cultivating trust within the XZ Utils community before inserting a backdoor into a widely used package. That backdoor was discovered only by chance, after anomalous test results drew the attention of an engineer. Although fake stars did not play a role in that case, the episode underscores how difficult it can be to distinguish between safe and dangerous projects when reputation systems are so easily manipulated.
To detect the manipulations, the team employed a specialized tool for monitoring suspicious platform behavior. Indicators included accounts with no visible activity or profile details, and large numbers of stars being issued simultaneously by multiple accounts within a short timeframe—patterns especially typical of rating-boosting services. As the researchers note, speed of delivery is critical to such vendors, leading entire bot networks to act in near unison.
The researchers argue that GitHub must reconsider the role of stars within its reputation framework. One proposed solution is to count endorsements only from verified users with long-standing activity histories. They also recommend making detection tools a permanent part of the platform’s infrastructure. Their findings have been accepted for presentation at the 2026 International Conference on Software Engineering.
