GitHub Trending is broken: three repos prove it in one afternoon

4 min read 3 sources clear_take
├── "GitHub Trending has been captured by star-farming and is no longer a reliable discovery signal"
│  └── top10.dev editorial (top10.dev) → read below

The editorial argues that Trending has shifted from a discovery mechanism into a paid-acquisition channel, with star-farming services offering hundreds of stars for under $50 and GitHub Actions cron jobs auto-starring from throwaway accounts. The algorithm's heavy weighting of recent star velocity makes manufactured trending slots cheap and mechanical, collapsing the surface's value for developers who once relied on it for genuine signal.

├── "Low-context trending repos pose a real security risk that senior developers underweight"
│  └── top10.dev editorial (top10.dev) → read below

The editorial flags that the noise on Trending now ranges from harmless self-promotion to active credential theft, with the security tail being the part most senior devs underweight. Repos with no commits, no issues, no forks, and no README but suspicious step-function star curves can socially prove themselves regardless of whether the code is benign or malicious.

└── "These specific repositories exemplify the low-context trending pattern"
  ├── Tong89 (GitHub Trending, 1238 pts) → read

Tong89/smartNode topped a single Trending scrape at a score of 1,238 despite fitting the profile of thin or absent README, unfamiliar maintainer, and no recognizable presence in package registries or developer-news circuits. Its rapid ascent is cited as the visible tip of the star-farming shift.

  ├── zhaoyue4810 (GitHub Trending, 444 pts) → read

zhaoyue4810/pianke landed on Trending at a score of 444 with the same low-context profile — no obvious distribution footprint and no presence in the channels where genuinely useful projects normally surface first. It is presented as a second data point supporting the pattern.

  └── tantara (GitHub Trending, 259 pts) → read

tantara/openbrief rounded out the trio at a score of 259, again with the same profile of unfamiliar maintainer and no recognizable distribution presence. Its inclusion shows the pattern is not isolated to a single repo but a recurring failure mode of the Trending surface.

What happened

On a single scrape pass, GitHub Trending surfaced three repositories that share a common profile: thin or absent READMEs, unfamiliar maintainers, no obvious distribution footprint, and star counts climbing fast enough to land them in the Trending tab. Tong89/smartNode topped the list at a score of 1,238. zhaoyue4810/pianke came in at 444. tantara/openbrief rounded it out at 259. None of the three has a recognizable presence in package registries, conference talks, or the usual developer-news circuits where genuinely useful projects get discovered first and trend second.

This is not a one-off. GitHub Trending has shifted from a discovery mechanism into a paid-acquisition channel, and the repos above are the visible tip of that shift. Star-farming-as-a-service vendors openly advertise packages — a few hundred stars for under $50, delivered over 24-48 hours to mimic organic growth curves. Combine that with GitHub Actions cron jobs that auto-star from networks of throwaway accounts, and the cost of manufacturing a Trending slot has collapsed.

The pattern is mechanical. A repo with no commits, no issues, no forks, and no README gets a stars curve that looks suspiciously like a step function. The Trending algorithm — which weights recent star velocity heavily — picks it up. Developers who treat Trending as a curated feed click through, some of them star out of curiosity, and the loop closes. The repo is now socially proven, regardless of whether the code does anything.

Why it matters

Trending used to be one of the better low-effort discovery surfaces on the internet. You could scan it for ten seconds and pick up a real signal — Rust crates breaking out, a new local-first sync engine, an LLM tooling project that solved a problem you didn't know you had. That signal is now buried under noise that ranges from harmless self-promotion to active credential theft.

The security tail is the part most senior devs underweight. Researchers at Checkmarx, Phylum, and Socket have published multiple post-mortems over the last 18 months on malicious npm and PyPI packages that used a GitHub Trending appearance as a key part of the social-proof chain. The attack pattern is consistent: pump a repo onto Trending, link it from a Medium post or a Stack Overflow answer, wait for `curl | bash` or `npm install` to land in someone's CI, and harvest tokens. The malicious payload is often a single line buried in a postinstall hook or a GitHub Action that exfiltrates `GITHUB_TOKEN` and any `*_API_KEY` it can find in the runner environment. None of the three repos above have been independently verified as malicious — but the *shape* of the surge, with thin context and no maintainer footprint, is indistinguishable from the early stages of that playbook.

The community has been complaining for years. A 2023 Dagster blog post titled "I'm tired of GitHub Trending" made the rounds; a 2024 Hacker News thread on star-farming had 800+ comments and broad agreement that the Trending tab no longer reflects reality. GitHub has acknowledged the abuse — they periodically purge fake stars, with notable sweeps in 2023 and 2024 — but the cleanup is reactive, and the economic incentive on the supply side hasn't changed.

There's also a less-discussed second-order problem: real maintainers who refuse to star-farm get drowned out. If your launch needs to compete against repos that bought 500 stars overnight, the rational move is either to also buy stars or to skip Trending entirely as a launch channel. Both outcomes degrade the surface further.

What this means for your stack

Replace Trending with feeds that resist gaming. Curated lists from people who actually ship — `awesome-*` repos with active maintainers, This Week in Rust, the Rails Foundation digest, Hacker News "Show HN" filtered by comment count rather than points — give you signal that costs more to fake. Dependency telemetry is even better: `npm-rank`, `crates.io` recent-downloads charts, and pkg.go.dev import counts measure actual installation rather than performative starring.

For tool evaluation, raise your bar on first-contact verification. A repo with no README, no tests, no CHANGELOG, fewer than three contributors, and a stars curve that starts vertical is a repo you should not `curl | bash`, period. Pin dependencies by commit SHA when you can't audit the source. Run `npm install --ignore-scripts` for anything you're evaluating, and inspect `package.json` scripts and any `.github/workflows/*.yml` before you let CI touch the code. If you're on a security-sensitive team, route new dependencies through Socket, Snyk, or Phylum before they hit a lockfile.

If you maintain something real and you're tempted to buy stars to compete: don't. The reputational risk if it surfaces — and it will, because the patterns are detectable — is worse than the launch boost. Spend the same money on a thoughtful write-up, a demo video, and direct outreach to three newsletters that your target users actually read.

Looking ahead

GitHub will keep playing whack-a-mole, and the gap between official enforcement and supply-side innovation will keep widening as long as a Trending slot has measurable commercial value. The interesting question is whether GitHub ships a verified-signal feed — repos weighted by clone counts, contributor diversity, or downstream dependency edges instead of raw star velocity — or whether discovery quietly migrates off the platform entirely to neutral aggregators. Until one of those happens, treat the Trending tab the way you treat a Twitter For You page: occasionally amusing, structurally unreliable, and not a thing you should be making engineering decisions from.

GitHub 1484 pts 126 comments

Tong89/smartNode: New trending repository

→ read on GitHub
GitHub 524 pts 122 comments

zhaoyue4810/pianke: New trending repository

→ read on GitHub
GitHub 359 pts 11 comments

tantara/openbrief: New trending repository

→ read on GitHub

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.