3.7M Fake GitHub Stars: A Growing Threat Linked to Scams and Malware

Recent research by Socket has revealed that approximately 3.7 million GitHub stars are fake, a trend that has escalated significantly over the past six months. These fake stars are often purchased for as little as $0.10 each and are used to manipulate the perceived popularity of repositories, which can mislead users into installing malicious software. The study highlights that fake stars not only facilitate scams and fraud but also contribute to the proliferation of low-quality repositories, creating noise in the GitHub ecosystem. Despite GitHub's efforts to combat this issue, around 11% of repositories linked to fake star campaigns remain active. The research indicates a strong correlation between fake stars and malicious activities, with many repositories still hosting malware. Socket has introduced a "Suspicious Stars on GitHub" alert to help users identify potentially fraudulent repositories. Users are advised to scrutinize star counts and repository activity before trusting a project, as inflated star metrics can lead to significant security risks.

- 3.7 million GitHub stars are identified as fake, linked to scams and malware.

- Fake stars can mislead users into installing malicious software and promote low-quality repositories.

- Approximately 11% of repositories with suspected fake stars remain active on GitHub.

- Socket has launched a "Suspicious Stars on GitHub" alert to help users detect fraudulent repositories.

- Users should carefully evaluate star counts and repository activity to avoid security risks.