GitHub, the world’s largest code-hosting platform, is grappling with a growing problem: the misuse of its “star” feature to artificially boost the popularity of repositories.
This tactic is being used by malicious actors to distribute malware and by others to unfairly elevate the visibility of non-malicious projects.
The “star” feature, akin to a “Like” button on social media, allows users to favorite repositories. GitHub incorporates these stars into its ranking system and uses them to recommend repositories to users, making it an influential metric. However, the system is vulnerable to manipulation, as revealed by several recent studies.
The scale of the Problem
A joint study by researchers at Socket, Carnegie Mellon University, and North Carolina State University sheds light on the magnitude of fake star activity. Using a tool called StarScout, which analyzes metadata from over 6 billion GitHub events, researchers identified 4.5 million suspected fake stars across 22,915 repositories.
Key findings include:
- 4.5 million stars suspected as fake, given by 1.32 million accounts.
- 3.1 million confirmed fake stars after filtering, involving 278,000 accounts and 15,835 repositories.
- A sharp rise in fake star activity in 2024, with 15.8% of repositories having over 50 stars in July found to be involved in these campaigns.
Many of the fake stars originated from accounts exhibiting minimal activity or acting in coordinated clusters to boost targeted repositories.
Tools and Methodology
The researchers employed algorithms adapted from social network fraud detection, such as CopyCatch, to identify suspicious patterns. They analyzed 20TB of data, including activity metadata and anomalous spikes in starring behavior, to uncover the fake star networks.
The study also found that approximately 91% of the flagged repositories and 62% of the fake accounts were deleted by October 2024, highlighting the efficacy of the StarScout tool.
Implications
Fake stars undermine trust in GitHub’s ranking and recommendation systems, potentially leading users to interact with deceptive repositories. These repositories often host malware or scams designed to exploit unsuspecting developers and users.
The problem has broader consequences, including:
- Erosion of trust in GitHub as a reliable platform.
- Increased difficulty for legitimate projects to gain visibility.
- Enhanced risks for users relying on misleadingly popular repositories.
Mitigating the Threat
Users are advised to go beyond the star count when evaluating repositories. Recommended practices include:
- Reviewing repository activity and code contributions.
- Checking for thorough documentation.
- Examining the quality of the codebase.
GitHub has responded by actively removing flagged repositories and accounts. The company is also reportedly working on improving its detection systems. However, the issue persists, and further efforts are needed to bolster the platform’s integrity.
BleepingComputer has reached out to GitHub for additional comments on its approach to combating fake stars but has not yet received a response.
As the fight against fraudulent activity continues, developers and users alike must remain vigilant when engaging with repositories on GitHub.
