# GitHub六百万（疑似）伪造星标：popularity contests、spam与malware的恶性循环

- 来源：Rohan Paul (@rohanpaul_ai)
- 发布时间：2026-04-16 08:05
- AIHOT 链接：https://aihot.virxact.com/items/cmo0tfgfh02lbsli28jlwya6e
- 原文链接：https://x.com/rohanpaul_ai/status/2044567914859397181

## AI 摘要

研究识别出GitHub上600万个疑似伪造星标，涉及18,617个仓库。2024年此类活动激增，大量被用于钓鱼、垃圾信息及恶意软件传播，重灾区集中在AI、区块链等领域。检测通过分析一次性账户和"同步"爆发等行为特征实现。假星标虽能在短期内带来真实关注，但长期效应为负，无法弥补内容匮乏。当星标这类易见的社交信号被当作信任基础设施，攻击者只需制造瞬间可信性即可实施攻击，这对开源生态构成系统性威胁。

## 正文

This paper shows that GitHub stars can be bought at scale， and that the distortion now bleeds into security.

The authors identify 6 million suspected fake stars tied to 18，617 repositories.

That matters because stars are not just vanity on GitHub.

They are a shortcut people use to decide what looks credible， useful， or safe enough to try， even though earlier work already suggested stars are only a rough proxy for real adoption.

The problem is not just inflated popularity， but the way a weak social signal becomes infrastructure for malware， spam， and low-effort hype once enough people treat it as evidence.

The paper's detection strategy is clever because it does not need to prove intent account by account.

It looks for behavioral signatures that are hard to fake at scale： throwaway accounts with almost no activity， and coordinated "lockstep" bursts where many accounts star many repositories within short windows.

What they find is ugly.

Fake-star activity surged in 2024， most flagged repositories were later deleted， many appear to have been phishing or spam， and the surviving non-malicious-looking targets cluster in predictable status games like AI， blockchain， tools， and demos.

The most interesting result is about incentives.

Fake stars do appear to buy a little real attention for less than two months， but the effect is far smaller than genuine popularity and turns negative over time， which suggests that social proof can open the door but cannot compensate for weak underlying substance.

Once a platform's easiest visible number starts standing in for trust， attackers do not need to beat the system completely； they only need to be believable for a moment.

----

Paper Link - arxiv. org/abs/2412.13459

Paper Title： "Six Million （Suspected） Fake Stars in GitHub： A Growing Spiral of Popularity Contests， Spams， and Malware"
