A new study has revealed how widespread fake stars are on GitHub, which can prove dangerous as they increase the visibility of malicious repositories associated with fraudulent activity.
A new study has revealed how widespread fake stars are on GitHub, which can prove dangerous as they increase the visibility of malicious repositories associated with fraudulent activity.
Similar to likes on social media, stars allow users to show their support for repositories. The more stars a repository has, the more likely it is to appear in GitHub's global rating and recommendation system, expanding its reach to more unsuspecting users.
Knowing this, attackers began creating automated accounts to artificially create stars on their fraudulent repositories to distribute malware, writes TechRadar.
A new study from a team of researchers at Carnegie Mellon University, Socket Inc., and North Carolina State University has found that 4.5 million stars on the platform are considered fake. They summarize the problem as “a widespread and growing threat that arises on a platform that is central to modern open source software development,” describing GitHub repositories as “the de facto distribution channels for software components.”
In total, an estimated 4.5 million stars were attributed to 1.32 million accounts across nearly 23,000 repositories, indicating how widespread the issue has become on the platform.
The study also noted an increase in fake star activity throughout 2024, with GitHub already taking steps to combat dishonest users and repositories.
