GitHub Stars are priced at 0.5 yuan each, and AI projects are the most aggressive in buying fake stars.

Is there really no one to regulate the practice of inflating stars on GitHub?

I've long heard that stars can be bought, and it's even more convenient than ordering takeout. They cost 50 cents each, and there are discounts for bulk purchases.

But I didn't expect the scale of the fraud to be so large. A study accepted by the top conference ICSE 2026 from Carnegie Mellon University has uncovered this "industry" thoroughly -

There are approximately 6 million fake stars on GitHub, distributed across 18,617 repositories, involving more than 300,000 fraudulent accounts.

Indeed, the star count on GitHub does seem to be experiencing numerical inflation.

In the past, projects with tens of thousands of stars were recognized as top benchmarks. But now, many emerging projects can easily reach a high star count and become popular.

It turns out it's because they can afford to buy stars (doge).

What's really disheartening is that AI/LLM projects are the hardest hit by fake stars...

The Fake Star Industry Chain

The CMU team developed a tool called StarScout that can detect abnormal star - giving behavior on a large scale. It can accurately locate fake stars on GitHub by identifying abnormal behaviors such as zombie accounts and synchronous bulk star - giving.

Based on the GitHub data from 2019 - 2024 across the network, the study identified approximately 6 million suspected fake stars and more than 18,000 repositories with inflated star counts, with a detection accuracy of up to 81%.

From the given case, in an open - source repository with 111 stars, at least 109 were determined to be fake after verification.

Similar repositories with severely inflated star counts are everywhere on GitHub. The business of buying fake stars has become industrialized.

According to a 2023 survey by Dagster, the fraud can be customized according to different budgets. Fake stars are priced in different tiers:

The cheap version costs $0.03 - 0.10 per star, focusing on extreme cost - effectiveness; the high - end version costs $0.80 - 0.90 per star, taking a more refined camouflage approach.

The low - price packages usually use a large number of newly registered blank accounts to quickly give stars, which is likely to trigger risk control. The high - price services specifically choose well - maintained old accounts that have been used for many years, simulating the browsing and liking rhythm of real people to increase stars naturally and smoothly.

At the same time, they also offer after - sales guarantees, promising long - term star retention and avoiding being cleaned up by the platform, with maximum camouflage logic...

Moreover, the sales channels are not hidden at all. There are at least 12 websites openly selling fake stars. There are 24 active sellers on the Fiverr platform continuously taking orders, and it even supports API for programmatic bulk purchases.

It doesn't stop there. Where there is demand, there is a market. Account farms have even emerged in the market, specifically raising GitHub accounts.

An account with a 5 - year commit history and an Arctic Code Vault contributor badge can be sold for $5000.

Although the contribution graph is all faked, it looks more like a legitimate developer than you (doge).

So, who is buying these fake stars?

It's really disheartening to say, but the CMU study shows that AI/LLM projects are the hardest hit by star - inflation on GitHub, ranking first in the number of frauds among non - malicious projects.

The fraudsters have also mastered the recommendation algorithm. The paper statistics show that 78 projects with severely inflated star counts have successfully made it onto the GitHub Trending list through false popularity.

However, the study also confirms that fake stars only have a short - term effect of less than 2 months. In the long run, they will drag down the real popularity and have a negative impact.

Stars = Admission Ticket for Financing

So, why buy stars? The biggest reason may be to raise funds.

Simple technical advantages are difficult to quickly impress investors. Intuitive and quantifiable external data has become the core standard for rapid screening.

The number of GitHub stars is the most important and intuitive hard traffic indicator that VCs value.

A partner of the well - known investment institution Redpoint once publicly revealed an invisible threshold:

For open - source startup projects, the median number of stars for seed - round financing is 2850, and projects in the Series A round need to reach 4980.

So, entrepreneurs started doing the math -

To reach the seed - round threshold, 2850 stars are needed. Calculated at $0.03 - 0.10 per star, the overall packaging cost is between $85 - 285.

But the return on this tiny investment is extremely different.

The general range of seed - round financing for open - source projects is between $1 million and $10 million. Roughly calculated, the ROI of buying stars can be as high as 117,000 times... Spending a few hundred dollars to buy stars in exchange for millions in financing, anyone can do the math.

Image source: Awesome Agents

The top venture capital firm Runa Capital releases a list of the fastest - growing open - source projects every quarter, which is highly reference - worthy in the industry.

Data shows that 68% of the projects on the list can successfully secure seed - round financing, with a cumulative total of up to $169 million. It is a recognized indicator of high - quality projects in the industry.

However, the star project Union Labs, which ranks first on this authoritative list and has an extremely high 74,000 stars, was found through analysis that 47.4% of its stars are suspected to be fake.

Because its fork - to - star ratio is only 0.052, while the normal range for healthy and truly active open - source projects in the industry is stable at 0.1 - 0.2.

So, a vicious cycle is formed: VCs select projects based on stars → entrepreneurs buy stars to boost data → VCs trust stars more because of the false data → more people follow suit → more people buy...

Since the star count is unreliable, what should we look at?

Netizens shared their screening methods. First, look at the last commit date. The newer, the better, indicating that someone is maintaining the project.

Then, look at the project's age and update frequency. As long as an old project is still being stably iterated, it can be considered a guarantee of quality.

In addition, the quality of issues and core code is also relatively important.

The guy is really honest: What can the star count tell me? It's either an indirect result of the above factors or just pure fraud. Anyway, to judge the quality of a project, you still have to look back at these hard indicators.

Indeed, although you can buy stars, you can't buy a PR that really helps you fix bugs.

CMU Research:

https://arxiv.org/abs/2412.13459

Reference Links:

[1]https://awesomeagents.ai/news/github-fake-Stars-investigation/

[2]https://news.ycombinator.com/item?id=47831621

This article is from the WeChat official account "QbitAI", author: Wen Le. Republished by 36Kr with authorization.