•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
A study presented at ICSE 2026 by researchers from Carnegie Mellon University, North Carolina State University, and security company Socket describes an underground market for buying fake GitHub stars. The researchers estimate that around 6 million fake stars were created on GitHub between 2019 and 2024.
The study used StarScout to analyze 20 terabytes of GitHub data, equivalent to 6.7 billion events and 326 million star-giving actions. It found that about 18,617 repositories participated in campaigns to purchase fake stars through roughly 301,000 accounts.
By mid-2024, the phenomenon intensified. The study reports that 16.66% of projects with 50 or more stars were linked to star manipulation campaigns, whereas prior to 2022 the issue was nearly absent.
GitHub reportedly began recognizing the scale of the problem. By January 2025, about 90.42% of StarScout-flagged projects had been deleted, along with 57.07% of related accounts.
The researchers also found that the platform’s visibility systems could be misled. As many as 78 repositories that used fake stars appeared on GitHub Trending, indicating that recommendations can be influenced.
The study says the AI sector became the largest group of fake-star recipients outside blockchain and crypto. Many of the manipulated repositories were related to large language models, AI startups, or academic papers.
In addition, the authors highlight that some projects show manipulation patterns in star-giving behavior. For example, some blockchain or AI projects have more than 80% of star-giving accounts with no followers.
One extreme example cited is FreeDomain, which had 157,000 stars but only 2,676 forks and 168 watchers. The study reports that over 81% of star accounts lacked followers.
The market for buying stars operates as a full-service industry. Websites publicly sell stars for as little as $0.03–$0.10 per star in a cheaper tier. Higher-tier packages reportedly use older accounts with real activity histories and are sold for about $0.80–$0.90 per star to reduce the risk of GitHub detection.
Some platforms offer “no-star drop warranty,” automated star-purchasing APIs, and networks for star exchanges. Telegram listings reportedly sell GitHub accounts with five-year commit histories and Arctic Code Vault Contributor badges for around $5,000.
In China, a separate study from Tsinghua University found groups promoting on QQ and WeChat with more than 1,000 daily participants to manipulate stars, with estimated profits of about $3.4–$4.4 million per year.
The study links the practice to investment-driven incentives. Jordan Segall, a partner at Redpoint Ventures, is quoted saying many VC funds use automated GitHub scanning to identify startups based on the speed of star growth.
The report provides benchmarks for programming-tool startups: the median star count for seed-stage companies is about 2,850 stars, and around 4,980 stars at Series A. This creates an “attractive math” for manipulation, where spending a few hundred dollars on fake stars can create the appearance of strong community interest and help support fundraising rounds valued in the millions.
The investigation points to examples linking GitHub activity and funding. It cites Lovable (formerly GPT Engineer), which has over 50,000 stars and raised $7.5 million in a pre-seed round before a $1.8 billion Series A valuation. It also notes Browser-use, which surged to 50,000 stars in three months and then raised $17 million in seed funding, and LangChain, which secured $10 million from Benchmark early on.
Analyzing data from 20 repositories, the authors report clear manipulation signals. They say authentic repositories such as Flask or LangChain tend to be followed by long-standing developers with real followers and genuine activity, while fake accounts are more widespread in other projects.
For Union Labs, the study notes it topped the ROSS Index at one point, but StarScout later estimated that about 47.4% of its stars showed signs of deception.
The study says there have been few criminal prosecutions directly tied to buying GitHub stars. It also references the FTC’s new rule taking effect in October 2024, which bans buying or selling fake influence indicators online for commercial purposes, with penalties up to $53,088 per violation.
The SEC has pursued startups for inflating metrics to attract investment, but the researchers say there have been no cases directly about GitHub stars. They argue that such behavior could be considered fraud if investors rely on fake metrics.
GitHub forbids creating fake interactions, manipulating rankings, or operating a market for buying and selling stars. However, the investigation concludes that the platform’s response remains reactive and not sufficiently robust to eliminate the underlying infrastructure.
As investment funds continue to use star counts as a growth signal, the study argues that the underlying economy behind GitHub fake stars still has traction.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
