https://arxiv.org/pdf/2412.13459
A new study reveals a significant problem with inauthentic “stars” being used to artificially inflate the popularity of scam and malware distribution repositories on GitHub. These fake stars mislead users into trusting malicious projects and potentially downloading malware.
How Fake Stars Work
- GitHub users can “star” repositories similar to liking them on social media platforms.
- The number of stars is a key factor in how GitHub ranks repositories and recommends them to users.
- Malicious actors create fake accounts or compromise existing ones to star malicious repositories, making them appear more popular and trustworthy.
Impact of Fake Stars
- Increased Reach for Malicious Projects: Fake stars help malicious repositories reach more unsuspecting users who may be tricked into downloading malware.
- Eroded Trust in GitHub: The widespread use of fake stars undermines the overall trust and credibility of the GitHub platform.
Researchers developed a tool called StarScout to analyze user activity and identify patterns indicative of fake stars. StarScout looks for signs of low user activity, bot-like behavior, and coordinated starring activity across multiple accounts.
The study identified 4.5 million suspected fake stars across GitHub. These fake stars were associated with over 15,800 repositories and 278,000 user accounts.
Recommendations for Users
- Don’t rely solely on the number of stars to judge a repository’s legitimacy.
- Carefully evaluate the repository’s activity, documentation, code quality, and user contributions.
- Be cautious when downloading software from GitHub, especially from repositories with few contributions or suspicious activity.
This study highlights the importance of staying vigilant when using GitHub. By being aware of fake stars and other deceptive tactics, users can help protect themselves from malware and other online threats.