GitHub has a major problem with fake rankings, which could put users at risk of attack

(Image credit: Gil C / Shutterstock)

Researchers found 4.5 million fake stars on GitHub
The platform’s ranking and recommendations lean heavily on stars
Users are being urged to consider much more than just the number of stars

New research has revealed how widespread fake stars are across the GitHub platform, which could prove dangerous by increasing the visibility of malicious repositories associated with scam activity.

Similar to likes on social media, stars allow users to show their support for repositories. The more stars given, the more likely it is to appear in GitHub’s global ranking system and recommendations, extending its reach to more unsuspecting users.

Knowing this, threat actors have now gone on to create automated accounts to artificially star their dodgy repositories to spread malware.

GitHub star ratings helping to spread malware

The company confirms on a help page: “Many of GitHub's repository rankings depend on the number of stars a repository has. In addition, Explore GitHub shows popular repositories based on the number of stars they have.”

A new study published in December 2024 by researchers at Carnegie Mellon University, Socket Inc and North Carolina State University reveals that 4.5 million stars on the platform are believed to be inauthentic. They summarize the problem as a “prevalent and escalating threat happening in a platform central to modern open-source software development,” describing GitHub repositories as the “defacto distribution channels for software components.”

In total, an estimated 4.5 million stars across nearly 23,000 repositories were attributed to 1.32 million accounts, highlighting just how widespread the problem has become on the platform.

The study also noted a rise in fake star activity throughout 2024, with GitHub already taking action to counter dodgy users and repositories.

Previously used as a measure of how good a repository is, GitHub users are now being advised to consider other factors, such as its activity, authenticity and code quality.

Protect your device with the best antivirus software
GitHub users targeted by dangerous new phishing threat
Fancy an upgrade? Consider the best laptops for programming

TOPICS

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!