GitHub has a major problem with fake rankings, which could put users at risk of attack

Researchers found 4.5 million fake stars on GitHub
The platform’s ranking and recommendations lean heavily on stars
Users are being urged to consider much more than just the number of stars

New research has revealed how widespread fake stars are across the GitHub platform, which could prove dangerous by increasing the visibility of malicious repositories associated with scam activity.

Similar to likes on social media, stars allow users to show their support for repositories. The more stars given, the more likely it is to appear in GitHub’s global ranking system and recommendations, extending its reach to more unsuspecting users.

Knowing this, threat actors have now gone on to create automated accounts to artificially star their dodgy repositories to spread malware.

GitHub star ratings helping to spread malware

The company confirms on a help page: “Many of GitHub’s repository rankings depend on the number of stars a repository has. In addition, Explore GitHub shows popular repositories based on the number of stars they have.”

A new study published in December 2024 by researchers at Carnegie Mellon University, Socket Inc and North Carolina State University reveals that 4.5 million stars on the platform are believed to be inauthentic. They summarize the problem as a “prevalent and escalating threat happening in a platform central to modern open-source software development,” describing GitHub repositories as the “defacto distribution channels for software components.”

In total, an estimated 4.5 million stars across nearly 23,000 repositories were attributed to 1.32 million accounts, highlighting just how widespread the problem has become on the platform.

The study also noted a rise in fake star activity throughout 2024, with GitHub already taking action to counter dodgy users and repositories.

Previously used as a measure of how good a repository is, GitHub users are now being advised to consider other factors, such as its activity, authenticity and code quality.

https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH-1200-80.jpg

Source link

Leaked Samsung Galaxy S25 Slim benchmark hints at the phone’s key specs

Linux Foundation brings together top browser makers for more “open” approach

Want a cheaper Apple Pencil for your iPad? This $30 alternative comes with Find My tracking

Forget AI fitness coaches – 2025 trends show personal training could make a comeback thanks to this pandemic-era relic

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

GitHub has a major problem with fake rankings, which could put users at risk of attack

Leaked Samsung Galaxy S25 Slim benchmark hints at the phone’s key specs

Linux Foundation brings together top browser makers for more “open” approach

Want a cheaper Apple Pencil for your iPad? This $30 alternative comes with Find My tracking

Forget AI fitness coaches – 2025 trends show personal training could make a comeback thanks to this pandemic-era relic

Leave a reply Cancel reply