The investigation documents a thriving commercial market for purchased GitHub stars, with bot-farm operators maintaining armies of throwaway accounts and middlemen reselling starring services. The core argument is that any workflow treating star counts as a proxy for quality or adoption is now making decisions on polluted data, since credible-looking social proof can be bought for the price of a nice dinner.
Beyond distorting project evaluation, the investigation highlights that malware campaigns have used starred-up repositories to lend credibility to trojanized packages, and crypto scam projects inflate their apparent legitimacy the same way. This elevates the fake star problem from a trust issue to a concrete security threat affecting developers who rely on star counts as a first-pass quality filter.
The editorial argues that GitHub stars have become the de facto social proof metric appearing in README badges, VC pitch decks, and job postings, making them the first filter developers apply before evaluating documentation, maintenance cadence, or code quality. The real failure is systemic: the developer community built critical evaluation pipelines atop a single easily-gamed vanity metric rather than harder-to-fake signals like commit activity, issue responsiveness, or dependency adoption.
An investigation into GitHub's fake star ecosystem has surfaced what many open-source veterans suspected but couldn't quantify: there is a thriving commercial market for purchased GitHub stars, and it is large enough to distort how developers, investors, and hiring managers evaluate software projects. The investigation, which reached a score of 570 on Hacker News, documents how star-selling services operate openly — advertising on Telegram, Discord, and dedicated websites — with pricing that ranges from a few dollars for hundreds of stars to low four figures for tens of thousands.
The core finding is damning: star counts on GitHub are now a compromised signal, and any workflow that treats them as a proxy for quality or adoption is making decisions on polluted data. The investigation traces the supply chain from bot-farm operators who maintain armies of throwaway GitHub accounts to middlemen who package and resell starring services, often bundled with fake forks and watch counts for added credibility.
The accounts doing the starring follow recognizable patterns — created in batches, with minimal or no repositories of their own, default profile pictures, and starring activity that comes in suspicious bursts rather than the organic trickle of genuine discovery.
GitHub stars have become the de facto social proof metric for open-source software. They show up in README badges, VC pitch decks, job postings, and — most consequentially — in the mental heuristics developers use when choosing between competing libraries. "Does it have enough stars?" is often the first filter applied before evaluating documentation, maintenance cadence, or code quality.
When that first filter is buyable for the price of a nice dinner, the entire evaluation pipeline downstream is corrupted. This isn't a theoretical concern. Malware campaigns have used starred-up repositories to lend credibility to trojanized packages. Crypto scam projects inflate star counts to pass the smell test. And legitimate but mediocre tools can buy their way past the threshold where developers stop scrutinizing and start `npm install`-ing.
The problem is structurally similar to what happened with app store ratings, Amazon reviews, and social media follower counts — all of which went through a phase where the platform's trust metric became a commodity. In each case, the platform eventually invested heavily in detection and enforcement, but only after the signal had been substantially degraded.
GitHub's position is awkward. The company has acknowledged the problem and periodically purges fake accounts, but the detection-and-removal cycle runs far slower than the bot-farm creation cycle. Stars were never designed as a security or trust mechanism — they're a bookmarking feature that the community repurposed into a reputation system, and GitHub has been reluctant to either fully embrace or fully disclaim that role.
The Hacker News discussion surfaced a telling divide. Some developers argued that stars have always been meaningless vanity metrics, and anyone using them for dependency decisions was already making a mistake. Others pointed out that star counts are embedded in tooling — GitHub's own trending algorithm weights them, "awesome" lists use them as inclusion criteria, and package managers surface them in search results. You can't dismiss a metric while simultaneously building infrastructure around it.
If you're a team lead or architect evaluating dependencies, the practical takeaway is to formally deprecate star counts from your evaluation criteria. This isn't new advice, but the scale of the fake star economy makes it urgent rather than aspirational.
Better signals exist. Download counts from package registries (npm, PyPI, crates.io) are harder to fake because they correlate with actual installation. Commit frequency and recency tell you whether the project is maintained. Issue response time tells you whether the maintainer is engaged. Contributor count — especially contributors who aren't the repo owner — indicates real community investment. The combination of weekly downloads, open-issue-to-closed-issue ratio, and time-since-last-commit gives you a more reliable quality signal in 30 seconds than star count ever did.
For open-source maintainers, the fake star economy creates a prisoner's dilemma. If competing projects are buying stars, your legitimately earned 2,000 stars look modest next to their purchased 15,000. The temptation to "level the playing field" is real, and some maintainers have admitted to it privately. The healthier response is to invest in the signals that can't be bought: thorough documentation, responsive issue handling, and visible adoption by recognized projects or companies.
If you're building internal tooling that surfaces GitHub data — dependency dashboards, security audit tools, tech radar generators — strip star counts from any scoring algorithm, or at minimum weight them near zero. Replace them with the composite metrics above. Your future self will thank you when the next wave of bot-purges causes star counts to swing wildly on repos you depend on.
GitHub will eventually be forced to address this more aggressively — likely through some combination of account-age weighting, starring-velocity anomaly detection, and possibly making the star graph less prominent in the UI. But that's a platform bet, not something you should wait for. The broader lesson is that any single-dimensional public metric on the internet will eventually be gamed to the point of meaninglessness. The defense is always the same: use composite signals, weight actions over declarations, and maintain healthy skepticism toward any number that's easy to inflate and expensive to verify.
These kinds of articles make you feel like there are specific, actionable problems that just need an adjustment and then they disappear. However, the system is much worse than you'd expect. Studies like this are extremely valuable, but they don't address the systematic problems affecting a
I run a tiny site that basically gave a point-at-able definition to an existing adhoc standard. As part of the effort I have a list of software and libraries following the standard on the homepage. Initially I would accept just about anything but as the list grew I started wanting to set a sort of n
Can anyone explain why on earth VC's are making actual investment decisions based on imaginary internet points? This would be like an NFL team drafting a quarterback based on how many instagram followers they have rather than a relevant metric like pass completion, or god forbid, doing some wor
I think people expect the star system to be a cheap proxy for "this is a reliable piece of sorfware which has a good quality and a lot of eyes".I think as a proxy it fails completely: astroturfing aside stars don't guarantee popularity (and I bet the correlation is very weak, a lot of
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
I don't think I have ever used stars in making a decision to use a library and I don't understand why anyone would.Here are the things I look at in order:* last commit date. Newer is better* age. old is best if still updating. New is not great but tolerable if commits aren't rapid* is