A peer-reviewed CMU study (ICSE 2026) found 6 million fake stars across 18,617 repositories using 301,000 accounts - with AI/LLM repos the largest non-malicious category.

The definitive account comes from a peer-reviewed study presented at ICSE 2026 by researchers at Carnegie Mellon University, North Carolina State University, and Socket. Their tool, StarScout, analyzed 20 terabytes of GitHub metadata - 6.7 billion events and 326 million stars from 2019 to 2024 - and identified approximately 6 million suspected fake stars distributed across 18,617 repositories by roughly 301,000 accounts.

The problem accelerated dramatically in 2024. By July, 16.66% of all repositories with 50 or more stars were involved in fake star campaigns - up from near-zero before 2022. The researchers' detection proved accurate: 90.42% of flagged repositories and 57.07% of flagged accounts had been deleted as of January 2025, confirming GitHub itself recognized these as illegitimate.

Key Points:

• Stars sell for $0.03 to $0.85 each on at least a dozen websites, Fiverr gigs, and Telegram channels - no dark web required
• VCs explicitly use stars as sourcing signals: Redpoint found the median star count at seed is 2,850, and firms run automated scrapers to find fast-growing repos
• An analysis sampling 150 profiles per repo across 20 projects and found repos where 36-76% of stargazers have zero followers and fork-to-star ratios 10x below organic baselines
• The FTC's 2024 rule banning fake social influence metrics carries penalties of $53,088 per violation - and the SEC has already charged startup founders for inflating traction metrics during fundraising

Source: Awesome Agents