{ "id": "ca25d69d-ca13-4071-9d49-e82a416c8b08", "created_at": "2026-04-06T00:08:36.616561Z", "updated_at": "2026-04-10T03:32:46.209748Z", "deleted_at": null, "sha1_hash": "eae462b9250a3eb56237ce0f875cdb845de5e7b4", "title": "The GitHub Black Market: Gaming the Star Ranking Game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1569036, "plain_text": "The GitHub Black Market: Gaming the Star Ranking Game\r\nBy Yehuda Gelb\r\nPublished: 2024-07-25 · Archived: 2026-04-05 22:22:42 UTC\r\n7 min read\r\nNov 30, 2023\r\nPress enter or click to view image in full size\r\nAs the world’s top Version Control System, GitHub has evolved well beyond its original purpose of simply storing\r\nand sharing code. Today it has become a digital portfolio for developers, showcasing their talents, contributions,\r\nand collaborations.\r\nHowever, the growing demand for artificially boosting one’s presence in this thriving community has led to the\r\nemergence of a massive black market, with online stores and chat groups openly selling GitHub stars. This\r\nunderground market undermines the authenticity of GitHub stars, falsely inflating a repository’s perceived value\r\nand popularity. This blog explores the manipulation of GitHub stars and provides a method to help you determine\r\nif a repository has been subjected to such deceptive practices.\r\nKey Points\r\nGitHub Stars are an important metric that serves as a key indicator of a repository’s credibility and\r\npopularity.\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 1 of 7\n\nIndividuals with malicious intent and those with deceptive practices may inflate star counts, misleading\r\nusers about a repository’s true worth.\r\nThe Role and Impact of GitHub Stars\r\nGitHub stars play a crucial role in indicating the usefulness and quality of a repository. They serve as a measure of\r\nvisibility, which can have various positive outcomes. For instance, repositories with more stars tend to attract\r\nmore contributions from developers, opening up opportunities for collaboration and improvement.\r\nAdditionally, maintainers of highly-starred repositories may receive better job offers due to the recognition and\r\nvalidation of their work.\r\nMoreover, in certain cases, a repository’s star count can even lead to funding opportunities, providing financial\r\nsupport for further development and innovation.\r\nThe Dark Side of Star Inflation\r\nWhile GitHub stars are generally a reliable indicator, it is essential to acknowledge the existence of unethical\r\npractices aimed at manipulating star counts. This deceptive behavior can mislead users and create a false\r\nimpression of a repository’s true value and popularity.\r\nUsers should be aware of these possible manipulations and exercise caution when evaluating repositories solely\r\nbased on their star count, particularly for recent ones with a relatively high star count.\r\nThe GitHub Black Market\r\nThe underground market for GitHub stars is a testament to the lengths some will go to fake their way to\r\npopularity. As revealed in a study titled “Understanding Promotion-as-a-Service on GitHub”, there are online\r\nstores and chat groups openly selling GitHub stars, posing serious challenges to the platform’s integrity. The\r\nresearch identified over 63,872 suspected promotion accounts, generating millions of dollars in profit. This\r\nunderground market undermines the authenticity of GitHub stars, falsely inflating a repository’s perceived value\r\nand popularity.\r\nAfter learning about the existence of this massive black market for GitHub stars, I decided to dig deeper and\r\ninvestigate the services offered by these providers. I reached out to several service providers and asked them about\r\ntheir GitHub star services. I inquired about the number of stars they could provide, the cost and the timeframe for\r\ndelivery.\r\nThe responses I received varied significantly. Some providers claimed that they could deliver a few hundred stars\r\nwithin a span of weeks, while one even offered to provide the stars within 1–2 days and suggested spreading out\r\nthe delivery to make it appear more organic. The cost of these services also varied greatly, ranging from $80 for\r\n1000 stars to a staggering $3000 for the same number of stars.\r\nIt’s worth noting, though, that it wasn’t just stars that were up for sale but also additional metrics such as\r\nfollowers, forks, and watchers.\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 2 of 7\n\nBy exploring these services and their offerings, it became evident that the black market for GitHub stars is a\r\nthriving industry with significant financial implications. These practices undermine the authenticity and reliability\r\nof GitHub metrics, making it increasingly challenging to evaluate repositories based solely on their popularity\r\nmetrics.\r\nPress enter or click to view image in full size\r\nJust a couple of the many examples of star inflation services\r\nPress enter or click to view image in full size\r\nConversation with one of the black market sellers\r\nPress enter or click to view image in full size\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 3 of 7\n\nSome happy customers\r\nThe Far-Reaching Implications of Star Inflation\r\nThe manipulation of GitHub stars doesn’t just inflate numbers; it has tangible effects on how projects are\r\nperceived and utilized.\r\nGet Yehuda Gelb’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nRepositories that amass a high number of stars, particularly those that receive them in sudden bursts, often find\r\ntheir way into GitHub’s trending section. They may also get featured in emails to subscribers of the GitHub\r\nExplore daily newsletter. This visibility can lead to genuine user engagement, as the project appears to be backed\r\nby a robust community.\r\nThis phenomenon has significant implications, especially for startups and tech companies. These entities often\r\nrely on GitHub stars as a barometer for choosing technologies, under the assumption that a high star count equates\r\nto widespread community support and reliability. However, when these stars are the result of artificial inflation\r\nrather than genuine interest, it can lead to misguided decisions.\r\nVerify their Stars.\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 4 of 7\n\nIf you come across a GitHub repository and want to take precautions, we offer a free Python tool called\r\nfake_star_check. This tool, available on GitHub, can help you examine repositories for suspicious star activities. It\r\nfocuses on two main aspects: identifying unusual star patterns and suspicious fake user profiles within the\r\nrepository. By using this tool, you can gain better insights into the repository’s overall health and reliability,\r\nenabling you to make informed decisions before engaging with it. We also welcome collaboration and\r\ncontributions from the community to improve the tool.\r\n1. Star Time Patterns\r\nThe tool examines the timing and distribution of GitHub stars to identify abnormal patterns indicative of artificial\r\npopularity. It analyzes when each star is awarded to a repository and searches for any possible red flags. These red\r\nflags may include a sudden spike in stars within a brief period, particularly when a significant portion of the\r\nrepository’s total stars are accumulated during that spike. This suggests artificial inflation by bots or paid services.\r\nPress enter or click to view image in full size\r\nAn example of a repository that could be considered suspicious due to the large number of stars it\r\nreceived in a very short period, especially considering its recent creation date.\r\n2. User Profile Analysis\r\nBeyond star pattern analysis, the tool also delves into the profiles of users who have starred the repository. It\r\nexamines different aspects, such as the dates of account creation, levels of activity, and the diversity of\r\ninteractions on GitHub. Legitimate users typically have a track record of contributions and varied interactions\r\nacross multiple repositories. In contrast, profiles involved in manipulating stars often exhibit limited activity, with\r\nprofiles that are very similar to each other, and their engagement is predominantly confined to starring\r\nrepositories, frequently overlapping with other similar profiles, and lacking in genuine contributions.\r\nBeyond Fake Stars\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 5 of 7\n\nThe manipulation of GitHub stars directly on GitHub is not the only method used by individuals to fake their way\r\nto popularity.\r\nThe Issue of Starjacking\r\nSome package managers allow packages to be linked to GitHub repositories, which enables the package’s\r\nhomepage on the package manager to display popularity metrics from the linked GitHub repo.\r\nAnother technique, known as “Starjacking,” involves linking a package hosted on a package manager (typically\r\nPyPi) to an unrelated repository on GitHub. By doing this, the popularity metrics of the original package,\r\nincluding the stars, are displayed on the unethical person’s repository, deceiving others into thinking it is a popular\r\npackage. Since the statistics displayed by package managers do not go through any validation process and this\r\nprocess is relatively simple to execute, attackers often employ it in their attacks. A recent example of such an\r\nattack targeted users of Telegram, AWS, and Alibaba Cloud.\r\nPress enter or click to view image in full size\r\nGitHub Profile manipulation\r\nFake stars are just one facet of deception on GitHub; consider checking out our recent series on How Attackers\r\nManipulate Their GitHub Profiles to Deceive you.\r\nSummary\r\nIn an ecosystem as vast and influential as GitHub, where stars often serve as an indication of a project’s popularity\r\nand credibility, it’s essential to remember that these metrics do not always tell the whole story. While star counts\r\ncan generally offer a glimpse into a project’s community support and visibility, they do not guarantee the quality\r\nor suitability of the software. It’s crucial, therefore, to go beyond surface-level metrics.\r\nA thorough assessment, which includes code quality reviews, community engagement, documentation, and update\r\nfrequency, provides a more comprehensive understanding of a project’s value.\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 6 of 7\n\nFurthermore, nowadays, there is a wealth of tools and resources available that assist in evaluating these open-source projects.\r\nRemember, not all is as it seems…\r\nAs part of the Checkmarx Supply Chain Security solution, our research team continuously monitors suspicious\r\nactivities in the open-source software ecosystem. We track and flag “signals” that may indicate foul play and\r\npromptly alert our customers to help protect them.\r\nSource: https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nhttps://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7" ], "report_names": [ "the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775791966, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eae462b9250a3eb56237ce0f875cdb845de5e7b4.pdf", "text": "https://archive.orkl.eu/eae462b9250a3eb56237ce0f875cdb845de5e7b4.txt", "img": "https://archive.orkl.eu/eae462b9250a3eb56237ce0f875cdb845de5e7b4.jpg" } }