GitHub's Fake Star Economy
3 hours ago
- #Fake Stars
- #VC Funding
- #GitHub
- A CMU study (ICSE 2026) identified 6 million fake GitHub stars across 18,617 repos using 301,000 accounts, with AI/LLM repos being a major non-malicious category.
- Fake stars are sold openly for $0.03 to $0.85 each on websites, Fiverr, and Telegram, with premium services offering 'non-drop' stars that evade detection.
- VCs explicitly use star counts as sourcing signals, with Redpoint noting a median of 2,850 stars at seed stage and automated scrapers tracking growth.
- Analysis of 20 repos revealed manipulation fingerprints: 36-76% of stargazers had zero followers, and fork-to-star ratios were 10x below organic baselines.
- Blockchain projects like Union Labs (flagged with 47.4% fake stars) topped VC reports, while AI repos showed mixed signals, with some heavily manipulated.
- The fork-to-star ratio is a strong heuristic for detection: organic repos average ~0.160, while manipulated ones drop below 0.05, indicating low genuine engagement.
- Fake popularity extends to npm downloads and VS Code extensions, with cases like a package reaching 1 million weekly downloads via automation.
- Legal risks include FTC rules (penalties up to $53,088 per violation) and SEC charges for fraud, applying if fake stars mislead investors during fundraising.
- GitHub's enforcement is reactive, deleting flagged repos but only 57% of fake accounts, lacking structural changes like weighted popularity metrics.
- VCs should prioritize metrics like unique monthly contributors, issue quality, and fork-to-star ratios over raw star counts to gauge real adoption.