研究识别出GitHub上600万个疑似伪造星标,涉及18,617个仓库。2024年此类活动激增,大量被用于钓鱼、垃圾信息及恶意软件传播,重灾区集中在AI、区块链等领域。检测通过分析一次性账户和"同步"爆发等行为特征实现。假星标虽能在短期内带来真实关注,但长期效应为负,无法弥补内容匮乏。当星标这类易见的社交信号被当作信任基础设施,攻击者只需制造瞬间可信性即可实施攻击,这对开源生态构成系统性威胁。
This paper shows that GitHub stars can be bought at scale, and that the distortion now bleeds into security.
The authors identify 6 million suspected fake stars tied to 18,617 repositories.
That matters because stars are not just vanity on GitHub.
They are a shortcut people use to decide what looks credible, useful, or safe enough to try, even though earlier work already suggested stars are only a rough proxy for real adoption.
The problem is not just inflated popularity, but the way a weak social signal becomes infrastructure for malware, spam, and low-effort hype once enough people treat it as evidence.
The paper's detection strategy is clever because it does not need to prove intent account by account.