Buying GitHub stars is the sort of thing that invites the wrong kind of laughter. It sounds like a startup founder paying for imaginary applause. Embarrassing, yes. Slightly comic, yes. Also not the point.

The interesting part is that GitHub stars are not just decorative pixels. They are a public reputation signal on a platform where people discover code, evaluate projects, shortlist dependencies, and make rough judgments about what looks active, credible, and worth a closer look. Once that signal is cheap to launder, the problem stops being vanity and starts becoming trust.

That is what makes the market for fake stars worth writing about. Not because I think a few bought stars magically turn a mediocre repository into the next Linux. The evidence for that stronger claim is weak, and there is now direct experimental work suggesting the effect on downloads may be much smaller than people assume. The real issue is simpler and more structural: code hosting has acquired the counterfeit-attention economy of every other platform, except that the thing being counterfeited here is credibility around executable artifacts.

Why Stars Are Worth Buying At All

Developers like to pretend they do not use heuristics. They do.

The 2018 paper What’s in a GitHub Star? found that stars are not merely bookmarks or idle gestures. They function as a visible signal of interest, approval, and project standing, and three out of four surveyed developers said they consider star counts before using or contributing to a repository. Earlier work by Borges, Hora, and Valente treated stars directly as a popularity measure; later work on repository centrality argued that star-network structure itself carries meaningful information about project prevalence and lifespan.

None of this means stars are a perfect metric. It means they are a real one. Imperfect metrics are exactly the kind people manipulate, because they are visible enough to matter and simple enough to game.

There is also a social layer here that is hard to quantify but easy to observe. A repository with five stars looks like somebody’s weekend experiment. A repository with five thousand looks like infrastructure. That impression may be lazy, unfair, and often wrong. It is still how human beings scan crowded information environments. A star count is not a proof of quality. It is a shortcut. Shortcuts are where fraud lives.

The Business Is Surprisingly Banal

The market for fake GitHub engagement is less “underground sophistication” than ordinary engagement fraud wearing a developer T-shirt.

The best recent academic anchor here is Hao He and colleagues’ Six Million (Suspected) Fake Stars in GitHub. The title sounds dramatic, but the really useful part is how undramatic the mechanism is. The paper describes fake-star activity at scale, rising sharply in 2024, with coordinated accounts, trivial activity patterns, and millions of suspected inauthentic stars spread across thousands of repositories. This is not a rare exotic trick. It is a market.

Reporting and vendor pages make the market look even more ordinary. WIRED managed to buy 50 stars for a dormant repository for $6 paid in ether. Dagster, while building its own fake-star detection work, bought stars from public services including Baddhi Shop and GitHub24. Public storefronts have advertised GitHub stars with the same language used across the wider SMM economy: visibility, credibility, promotion, “real” users, quick delivery, refill guarantees.

The payment story is also more boring than the confident crypto-only versions of this thesis. Cryptocurrency does show up repeatedly. WIRED’s test purchase used ether. Some vendors clearly lean on crypto rails. But the visible market is mixed, not exclusively crypto. Public pages and policy text have also displayed PayPal, cards, bank transfer, UPI, PhonePe, regional wallet systems, and other mainstream payment methods. That matters because it tells us what kind of market this is. Not an occult darknet specialty. Just a grubby, normalized, public-facing attention business that happens to sell fake trust around code.

That banality is the point. If laundering repository popularity required elite access, the security implications would be narrower. If it is a cheap checkout flow, the problem is structural.

What The Evidence Says Stars Actually Do

This is where the piece needs one explicit concession.

The strongest version of the popular argument would be: buy stars, get users. That turns out to be too neat. Lucas Shen and Gaurav Sood’s 2026 paper Social Proof is in the Pudding ran field experiments on GitHub repositories and found no discernible effect of bought stars on package downloads, forks, pull requests, issues, or other developer-engagement measures. If your claim is that stars are a reliably profitable conversion funnel all by themselves, that paper is bad news.

It is also useful news, because it sharpens the argument.

The case against fake stars does not need to rest on a simplistic theory that developers see a number, lose all critical faculties, and start running whatever glitters. Stars can matter without mechanically driving downloads. They can matter at the earlier and sloppier stage: first impressions, shortlisting, perceived legitimacy, investor decks, media coverage, conference talk slides, recruiter heuristics, and the general “this seems real” layer that precedes more careful scrutiny.

In other words: fake stars may be bad at producing commitment, but still good at laundering plausibility.

And plausibility is often enough. Attackers do not need every viewer. They need some viewers to stop being careful.

Where This Turns From Embarrassing To Dangerous

The 2024 fake-stars paper is useful precisely because it does not leave the issue at vanity. Its most important result is not that some founders may be inflating ego metrics. It is that the majority of fake stars in the authors' analysis were used to promote short-lived phishing and malware repositories.

That is the real story.

GitHub has been a security surface for years. Beyond the Surface found that a non-trivial share of GitHub-hosted CVE proof-of-concept repositories were malicious: exfiltration, malware installation, trojanized binaries, hard-coded reverse shells. Unveiling A Hidden Risk showed that repositories framed as educational can still contain malware families and malicious intent. Kaspersky’s 2025 reporting on the GitVenom campaign described hundreds of fake projects with polished README files, inflated commit histories, and malicious payloads hidden across Python, JavaScript, C, C++, and C# code. Check Point’s reporting on the Stargazers Ghost Network was even more direct: a network of GitHub accounts used stars, forks, watches, and other activity to make phishing and malware repositories appear legitimate.

That is why fake popularity on GitHub matters differently from fake popularity on Instagram. On Instagram, the counterfeit product is attention. On GitHub, the counterfeit product is trust in code.

The same basic bundle keeps recurring:

  • a plausible repository topic
  • a polished README
  • tags chosen to catch search traffic
  • signs of activity or apparent history
  • inflated engagement signals
  • some external lure or malicious payload waiting behind the facade

Not every malicious repository needs fake stars, and not every repository with fake stars is malicious. But the overlap is strong enough that treating stars as mere vanity misses the supply-chain and malware angle completely.

The Structural Problem

What makes this irritating is not the moral quality of the buyers. There will always be people willing to cheat a public metric. That is the least surprising fact in the world.

The real problem is that platforms keep exposing low-cost trust signals and users keep over-reading them.

GitHub did not invent this pattern. Every platform that publicly ranks, recommends, or summarizes social approval acquires an economy devoted to counterfeiting that approval. Campbell’s law and Goodhart’s law are waiting in the lobby. The difference is that on a code-hosting platform, the downstream object is not a post or a lifestyle brand. It is software, scripts, dependencies, proof-of-concept exploits, build tooling, installers, and copied snippets that may end up running inside real systems.

Once you see it that way, the question “Do fake stars boost downloads?” is too narrow. The more important questions are:

  • Do they help a malicious repository survive first contact with a human reader?
  • Do they help it look non-ridiculous long enough to earn one click, one clone, one copied command, one meeting, one investor glance, one journalist mention?
  • Do they make a fraudulent project blend into the background noise of normal open-source activity?

That threshold is much lower than mass adoption. It only has to work sometimes.

The Joke Is Still Wrong

So yes, buying GitHub stars is pathetic. But that is still the least interesting thing about it.

The embarrassing part is real. The boring part is the actual story. There is a public, low-friction market for faking a trust signal that developers visibly use as a shortcut. The latest evidence suggests that signal may not reliably translate into downstream downloads, which is worth saying plainly. It does not need to. Counterfeit social proof is still useful for laundering credibility, and on GitHub credibility attaches to things people execute.

That is why this is not just a story about insecure founders buying vanity metrics. It is a story about code hosting inheriting the same fraudulent attention economy as every other platform, except here the object being sold is trust in executable artifacts. That is not ridiculous. That is a security problem.

References

Papers and Preprints

  1. Hudson Borges and Marco Tulio Valente, “What’s in a GitHub Star? Understanding Repository Starring Practices in a Social Coding Platform”, 2018.
  2. Hudson Borges, Andre Hora, and Marco Tulio Valente, “Predicting the Popularity of GitHub Repositories”, 2016.
  3. Runzhi He, Hengzhi Ye, and Minghui Zhou, “Revealing the value of Repository Centrality in lifespan prediction of Open Source Software Projects”, 2024.
  4. Hao He, Haoqin Yang, Philipp Burckhardt, Alexandros Kapravelos, Bogdan Vasilescu, and Christian Kastner, “Six Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Spams, and Malware”, 2024/2025.
  5. Lucas Shen and Gaurav Sood, “Social Proof is in the Pudding: The (Non)-Impact of Social Proof on Software Downloads”, 2026.
  6. Soufian El Yadmani, Robin The, and Olga Gadyatskaya, “Beyond the Surface: Investigating Malicious CVE Proof of Concept Exploits on GitHub”, 2022/2023.
  7. Md Rayhanul Masud and Michalis Faloutsos, “Unveiling A Hidden Risk: Exposing Educational but Malicious Repositories in GitHub”, 2024.

Reporting and Investigations

  1. Kari McMahon, WIRED, “The GitHub Black Market That Helps Coders Cheat the Popularity Contest”, 2023.
  2. Fraser Marlow, Dagster, “Tracking the Fake GitHub Star Black Market with Dagster, dbt and BigQuery”, 2023.
  3. Bill Toulas, BleepingComputer, “Over 3.1 million fake ‘stars’ on GitHub projects used to boost rankings”, 2024.
  4. Antonis Terefos, Check Point Research, “Stargazers Ghost Network”, 2024.
  5. Georgy Kucherin and Joao Godinho, Securelist, “The GitVenom campaign: cryptocurrency theft using GitHub”, 2025.

Vendor and Archive Evidence

  1. Followdeh, “Buy Github Stars”, accessed 2026-04-17.
  2. Baddhi Shop, “GitHub Repository Promotion & Developer Engagement Growth Service”, accessed 2026-04-17.
  3. PlayerUp, “Github Stars for Sale - Buy & Sell”, archived capture.

Changelog

  • 2026-04-17: Initial publication. Vendor and payment-method references were checked against publicly visible pages or archived captures available on that date; those pages are mutable and may change or disappear.