A recent study conducted by researchers at Carnegie Mellon University, Socket Inc, and North Carolina State University has unveiled a concerning issue on GitHub – the presence of an estimated 4.5 million fake stars across approximately 23,000 repositories. These inauthentic stars, attributed to 1.32 million accounts, are artificially boosting the visibility of malicious repositories linked to scam activities. This manipulation of star rankings poses a significant threat as it expands the reach of malware within the platform.
GitHub’s ranking and recommendations heavily rely on the number of stars a repository has, influencing its global visibility and user reach. Threat actors have resorted to creating automated accounts to falsely star their repositories, perpetuating the distribution of malware. The platform acknowledges the impact of stars on repository rankings, highlighting the importance of considering factors beyond star count, such as activity, authenticity, and code quality.
The escalating trend of fake star activity in 2024 underscores the need for increased vigilance and measures against fraudulent users and repositories. GitHub users are advised to exercise caution and evaluate repositories based on comprehensive criteria to mitigate the risks associated with fake stars and malicious content.