A recent investigation reveals that 6 million fake GitHub stars have been purchased across 18,617 repositories and 300,000 accounts. The practice, sold openly on platforms like Fiverr and Telegram, costs between $0.03 and $0.85 per star. The goal is to artificially inflate a project’s perceived popularity during launch phases. Investors and automated ranking systems still rely on star counts as a proxy for quality, making this a lucrative scheme for fraudulent developers.
Researchers identified three red flags to detect inflated repositories: low fork rates, few followers, and minimal code reuse. Projects with high star counts but no pull requests, issue activity, or commit history often rely on purchased stars. Some repositories even manipulate social media metrics to amplify the illusion of legitimacy.
One standout case involves a project called higgsfield-ai-scam, which aggressively promoted itself outside GitHub to boost its false credibility. The repository’s discrepancy between stars and actual engagement highlights how easily metrics can be faked. GitHub’s own tools fail to flag these discrepancies, leaving users vulnerable to misleading signals.
The investigation underscores a growing problem: fake engagement is eroding trust in open-source platforms. Without stricter oversight, algorithms and investors will continue to be misled by artificially inflated metrics.
Resources: