GitHub's Fake Star Economy

April 20, 2026
aisecuritybusinessgaming
Detailed close-up of a hard disk drive showing the actuator arm and data platters.
Photo by Pixabay on Pexels

The findings

A peer‑reviewed study presented at ICSE 2026 by researchers from Carnegie Mellon, North Carolina State, and Socket found roughly 6 million suspected fake stars across 18,617 repositories created by about 301,000 accounts. The dataset was massive — 20 TB of metadata, 6.7 billion events, and 326 million stars spanning 2019–2024 — and the trend accelerated in 2024: by July, it has been reported that 16.66% of repositories with 50+ stars were involved in fake‑star campaigns. AI and LLM projects turned out to be the largest non‑malicious recipients in absolute numbers, and, alarmingly, 78 flagged repos appeared on GitHub Trending, showing purchased attention can trigger discovery algorithms.

The marketplace

It has been reported that an open market exists for star purchases: websites, freelance gigs, Telegram channels and even exchange networks sell stars, with prices supposedly ranging from $0.03 to $0.85 per star depending on account quality. Vendors allegedly include services like GitHub24 (a German‑registered seller that reportedly charged €0.85 per star in tests) and budget shops selling bulk disposable accounts. The investigation it has been reported that sampled thousands of stargazers across 20 repositories and found striking fingerprints of manipulation — large fractions of stargazers with zero followers, fork‑to‑star ratios far below organic baselines — the kind of smoke that suggests a very hot fire behind it.

Why it matters

Why should anyone care? Because popularity on GitHub has real downstream value. It has been reported that some VCs explicitly use star counts as sourcing signals — Redpoint reportedly found a median star count at seed of 2,850 — and firms run automated scrapers to surface fast‑growing repos. The incentive is clear: a cheap handful of bought stars can be turned into perceived traction, and traction can unlock funding. There are legal risks too; it has been reported that regulators are watching — the FTC’s 2024 rule and high per‑violation penalties, and SEC actions over inflated traction metrics, make this more than just an ethics problem. In short: when attention is for sale, trust is the casualty. What does that leave for honest projects? A mess, and a cautionary tale.

Sources: awesomeagents.ai, Hacker News