Researchers from Socket have uncovered a concerning trend on GitHub, with the discovery of 3.7 million fake stars infiltrating the popular platform for developers. This influx of fake stars highlights a growing threat of fraud and the spread of malicious software within the GitHub community. Over the last six months, the magnitude of this issue has escalated significantly.
GitHub stars have traditionally been used as an indicator of a project’s popularity, but the prevalence of fraudulent activities has now compromised this measure. These fake stars are being sold for as little as 10 cents each, making them tools for deceiving users and investors alike. Despite GitHub’s policies against automated mass activity and fake accounts, these practices continue to proliferate.
One of the primary risks associated with fake stars is the presence of fraudulent repositories disguised as popular projects, containing malicious code. For instance, certain repositories are designed to illicitly siphon cryptocurrencies through covert means. This poses a direct threat to unsuspecting users. Furthermore, the inflation of ratings for subpar repositories, like code examples or templates, contributes to clutter on GitHub and creates confusion for novice programmers.
Although GitHub has made efforts to eradicate these fraudulent repositories, the issue persists. A significant portion (11%) of suspicious repositories remain active, with 28 of them being flagged for containing malicious software by experts.
Researchers utilized an algorithm to analyze GitHub data spanning five years, leading to the identification of over 10,000 suspicious repositories with fake stars. While GitHub has successfully removed nearly 90% of these repositories, there are still numerous repositories that may harbor malware or represent unscrupulous projects.
It is advised that users exercise caution and conduct thorough inspections of repositories, rather than relying solely on star counts. A new notification system targeting suspicious stars has been implemented on the platform to help users identify potentially risky projects and mitigate security threats in the software supply chain.
The proliferation of fake stars on GitHub serves as a stark reminder that even the most reliable trust indicators can be compromised in the digital age. This underscores the importance of maintaining vigilance and adopting a critical approach to online activities, as appearances of popularity may not always align with actual value or safety.