You can’t trust the stars on GitHub — I just learned that. Like on other social networks, stars can be bought on GitHub. This creates the misleading impression that a piece of software is especially popular and trustworthy. Unfortunately, this tactic appears to be frequently used to spread malware.

The Rise of Fake GitHub Stars: A Growing Security Threat for cyberinsider.com

That being said, it is recommended that repository activity be verified beyond star counts. Look for meaningful contributions like issues, pull requests, and active discussions. Additionally, reputation metrics, such as OpenSSF Scorecards, should be considered, as they provide a holistic evaluation of software security.

GitHub is also responsible for tackling this problem. The paper suggests the implementation of weighted popularity metrics that account for account authenticity and activity diversity. Also, it is recommended that the platform enhances moderation systems to correlate fake star activity with malicious repositories for timely takedowns.

The text was automatically translated from German into English. The German quotations were also translated in sense.