Tracking the Fake GitHub Star Black Market

I&#x27;m surprised that Github stars are valuable enough to buy. Personally I never look at the star count because even if they were legit, they don&#x27;t really tell me anything more useful than I get from looking at other things in the repo.<p>I tend to check the age difference between the earliest and latest commits because that lets me be sure it&#x27;s not a project that someone spent a couple weeks coding up, dropped on github, and then forgot about. I&#x27;ll also check the issues on there. I&#x27;m looking for more closed issues than open ones, but I&#x27;ll also quickly scan over them to get a rough idea of how many are truly meaningful issues. I also get signals from the readme and docs. It&#x27;s not a hard pass if there&#x27;s issues with those, but it&#x27;s certainly helpful to my opinion if they exist and are both clear and detailed.

My ex-employer used Github stars in their job description and during recruitement pitches. They regularly encouraged employees to go and star the firm&#x27;s repos in Github. In all-hands meetings, the Github stars were one of the items they reported: &quot;we&#x27;ve surpassed X in Github stars&quot; (applause).<p>(The firm X, however, is a more well-known name than my ex-employer was).<p>A while ago, I listened to a Freakonomics episode where it was discussed that businesses use proxies to both boost their image and to cover up their incompetency. The example was that a lot of businesses chose fancy names starting with A (like, AAA plumbers), so that they get listed first in business directories. These firms were later proven to be very incompetent and&#x2F;or even fraudulent.<p>The relevant paper, also cited in the episode, was &quot;A Business by Any Other Name&quot;: <a href="https:&#x2F;&#x2F;papers.ssrn.com&#x2F;sol3&#x2F;papers.cfm?abstract_id=1667550" rel="nofollow">https:&#x2F;&#x2F;papers.ssrn.com&#x2F;sol3&#x2F;papers.cfm?abstract_id=1667550</a>.

While evaluting OSS project, key indicator is community activity. Github stars is a weak community activity indicator. Firstly, as shown in the article it can be gamed. Also, Stars is very low threshold action so does not indicate whether the person who starred the project will actually use it.<p>I think 2 great community activity indicators are - Github issues and of slack&#x2F;discord&#x2F;discourse comments. One key thing with github issues in my opinions is that, If the github issues are mostly by the core team, it is not a great sign. You want a large mix of issues from customers or users and not from the team. This is a good indicator if the project is solving real problem or not. Stars is very low threshold action. Same goes with the slack comments, it should have both volume and freshness.

Goodhart&#x27;s law: if you rely on a social signal to tell you what&#x27;s good, you&#x27;ll break that signal.<p>Very soon, the domain of bullshit will extend to actual text. We&#x27;ll be able to buy HN comments by the thousand -- expertly wordsmithed, lucid AI comments -- and you can get them to say &quot;this GitHub repo is the best&quot;, or &quot;this startup is the real deal&quot;. Won&#x27;t that be fun?

&gt; In spam detection, we often use heuristics in conjunction with machine learning to identify spammers.<p>Heuristics can only be used to identify suspected spammers. Not everyone who behaves like a spammer is a spammer, it could be e.g. a random user with privacy settings on, or someone who didn’t update their bio in a while and it got affected by link rot, etc.<p>Even if a group of low activity accounts stars the same projects, it could be that the account owners just discuss these projects elsewhere.

I have moved all my repositories to sourcehut. They are generally mirrored by a github repository consisting of a single README file explaining the new location for the project, and my reasons for the migration.<p>However, given sourcehut eschews the use such &quot;social metrics&quot; (which at some level I agree with the principle behind it, on the other hand I do appreciate the value of being able to give visibility to good projects) I usually mention in my README that &quot;If you like the project and wish to promote it, feel free to star this github page&quot;.<p>I&#x27;m sure github probably wouldn&#x27;t like this use-case, but the stars would certainly be genuine, even if possibly quite dodgy-looking.

It is worth noting that it is trivial to buy fake stars for a project you are not affiliated with. The reason someone might do this would be to &quot;test&quot; the purchasing of fake stars without risking contaminating their own project.

Is it just me or the fact that Dagster has one of their competitors Mage.ai listed here as a repo with around 15% of fake stars seems like an odd coincidence?

Maybe our code forges don&#x27;t need to be social media platforms. These &#x27;stars&#x27; have pretty dubious value and rarely correlate with code quality or importance (core libraries generally have less attention than apps or tools). There&#x27;s also a heavy language skew where JavaScript and Python libraries &amp; programs get way more thumbs-ups even when they&#x27;re technically not any better than alternatives.

I have a half-written article about this, but I didn&#x27;t have any good notion about quantifying the problem so this article is very welcome info to me.<p>My own angle is that copilot has shifted the incentives around this practice, maybe substantially. Businesses want to get (free tiers of) their paid SaaS endpoints into copilot suggestions - it&#x27;s a great funnel!<p>I&#x27;d guess that github is as likely as not to become an SEO spam battlefield (like the rest of the web).

I wrote on this topic a while ago; experimenting I found out you can basically change the repos names and keep the stars; this wouldn&#x27;t work if you use the repo as issue tracker or PR tracker, since the history would all be broken, but if it&#x27;s pretty much just the code it&#x27;s easy to swap the star count between two repos:<p><a href="https:&#x2F;&#x2F;francisco.io&#x2F;blog&#x2F;transferring-github-stars&#x2F;" rel="nofollow">https:&#x2F;&#x2F;francisco.io&#x2F;blog&#x2F;transferring-github-stars&#x2F;</a>

TIL: you can buy (fake) GitHub stars.<p>That was a bit shocking to me to learn.

Is there even such a thing as a github influencer (people living just from github)?

The next thing in social media vending machines.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;Alexey__Kovalev&#x2F;status&#x2F;871842008771567618" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;Alexey__Kovalev&#x2F;status&#x2F;87184200877156761...</a>

As a note, GitHub stars are often used in pitch decks for OSS startups. VCs seem to care about that, judging from what I’ve seen around.

This sort of gamification exists only because there are too many green engineers that only care about their salaries, and they mimic what people successfully recruited by FAANG (etc.) did, and so do other companies. Then this purity spirals into taking the entire field down because there&#x27;s no one around to educate the new newbies. Facebook was IMO a step in the right direction because it was a &quot;general&quot; social network, you could post anything. Imagine if FB had released some sort of an &quot;extension&quot; that allowed you to share anything via a template of sorts, instead of having to type out everything in the same old text post. It would have been meta enough (sorry) to not spiral very quickly.<p>Leaving the arena is the only viable option. Software projects that aren&#x27;t dependent on github drive their own vehicle, everyone else is on a crowded bus.

Things like this are part of why I cringe when I see supply chain analysis&#x2F;security companies include “popularity” in their criticality metrics: the relationship between public popularity signals (like GitHub stars) and criticality is weak, at best.

I wrote a tiny tool which calculates the &quot;brightness&quot; score of a github repo based on calculating the total star count of the people who starred your repo. It will automatically detect these kinds of scams (assuming that it&#x27;s mostly low star bots giving the stars).<p><a href="https:&#x2F;&#x2F;github.com&#x2F;Hellisotherpeople&#x2F;Bright">https:&#x2F;&#x2F;github.com&#x2F;Hellisotherpeople&#x2F;Bright</a><p>Edit: I love clustering, I really do, but I think that techniques like the one I am using are far superior to unsupervised learning for trying to detect fake accounts in this context.

GitHub is fully aware of these, would they consider something like a &quot;confirmed&quot; star count that subtracts the suspicious&#x2F;fake number? Or is that too much of a slippery slope.

How did you find out the name of the company behind GitHub24 though? If I go to their website I do cannot see it, I even cannot find anything if I search the company name.

This is a great article, I&#x27;ve developed the same tactics for other projects but never was able to graft the proper vernacular. It really helps tackling how to organize and present information.<p>I wonder if this is also in general OSINT or ISC^2 training - everything this article showed for breadtrails and reverse operation (e.g. pay a company to do the work, see how it is, evaluate the results, see if you can find other work similar&#x2F;akin to it.)

Sounds like they take it more serious than Google does likes on Youtube. A competitor had a video that rapidly had over 100k likes - but if you looked at the total time played, each view averaged to just a couple of seconds on a video over 10 minutes. Reported it, but nothing came of it. (No, not something we regularly do. I think it may be the only video I&#x27;ve ever reported; just want a fair playing field)

Rabbit trail: I accidentally right-clicked on their home icon and it brought up their branding page with license agreements for their IP. Really neat idea.

I think the most interesting thing would be to run this test against the list of Launch HNs, sorted by votes, grouped by class.

I give Github star as a bookmark for the repo so I assumed that others might be using it the same way too.

The projects with suspicious stars were still &gt;80% nonfake stars. That to me suggests that most of the fake stars have been classified as nonfake. There isn&#x27;t much psychological value in boosting your star count by just 25%.

Just use Show HN &amp; Reddit.

&gt; And if you enjoy this article, head on over to the Dagster repo and give us a real GitHub star!<p>Kind of ironic that they’re using blog articles and social media to pander for more stars on their GitHub project.

I didn&#x27;t knoe people used stars to make decisions. For me it is more like HN karma points. I use their issue history&#x2F;pr history to get an idea of how good or bad a project is

only vaguely related - but I&#x27;ve been recently trying out dagster and I&#x27;m pretty impressed so far. I&#x27;ve run large scale data-processing from Hadoop onwards and was expecting the usual crumminess whenever you hit and edge case.<p>Instead I found a system that seems to be thoughtfully designed and, crucially, easy to debug.

Great post, though I was low-key hoping for a top 10 or maybe top 100 ranking of most starred juiced-up repos.

&gt; Yet [GitHub stars] influence serious, high stakes decisions, including which projects get used by enterprises, which startups get funded, and which companies talented professionals join.<p>Really? I honestly just don&#x27;t believe this... if I <i>were</i> to believe this, I think I&#x27;d have to conclude the world is just too broken to bother rescuing.

What&#x27;s the street value?

this shouldn&#x27;t be posted with links to the actual places to buy stars.... that seems like a bad idea?

do streamlit