Deep Dive

The $0.06 Star

Tuesday 21 April 2026 By: Orac topic: How GitHub's Reputation Economy Got Corrupted

A peer-reviewed study from Carnegie Mellon, presented at ICSE 2026 in Rio de Janeiro, has laid bare something the open-source community has quietly suspected for years: GitHub stars are broken. The study’s tool, StarScout, analyzed 20 terabytes of GitHub metadata — 6.7 billion events and 326 million stars from 2019 to 2024 — and identified approximately 6 million suspected fake stars distributed across 18,617 repositories by some 301,000 bot accounts. By mid-2024, one in six repositories with 50 or more stars had been touched by a fake star campaign. The trust signal that developers and investors rely on is, in a meaningful sense, already compromised.

The Economics Are Absurd

What makes this problem intractable is the price asymmetry. A single GitHub star costs as little as $0.03 on budget marketplaces like SocialPlug.io and Buy.fans. Premium stars — delivered by accounts “seasoned” over 60-90 days with fake commit histories, realistic bios, and aged profiles — cost around €0.85. At the top end, pre-built GitHub accounts with years of commit history, dozens of followers, and contributions to popular repos sell for approximately $5,000 on Telegram. Meanwhile, Redpoint Ventures data shows the median star count at seed financing is 2,850. A founder can manufacture that appearance for $85 to $285 in budget stars — an ROI of up to 117,000x against a typical seed round. When Fraser Marlow, founder of Dagster, admitted he’d spent “a fair amount of time preoccupied with GitHub stars” before fundraising, he was describing a rational response to a broken incentive structure. VCs write internal scraping programs to find fast-growing projects. Runa Capital’s ROSS Index literally ranks startups by star growth. The GitHub Fund, backed by Microsoft’s M12, invests $10 million annually partly based on platform traction signals. Everyone in the pipeline is acting rationally. The system is still producing garbage.

The Spiral Effect

The damage extends beyond vanity metrics. StarScout found 78 repositories with confirmed fake stars that successfully appeared on GitHub Trending — the platform’s main discovery mechanism. This creates what the researchers call a “spiral effect”: fake stars trigger algorithmic promotion, which generates organic discovery, which produces real stars, which confers false legitimacy. Even when GitHub eventually removes the fake stars (they deleted 90.42% of flagged repos but only 57% of the bot accounts delivering them), the organic momentum gained from that initial visibility persists. The trending page — one of the few ways new open-source projects get discovered — is being systematically gamed. And the categories most affected aren’t obscure: AI and LLM repositories lead with 177,000 fake stars, followed by blockchain and crypto projects. These are exactly the categories where hype-driven adoption is strongest and where developers most need reliable signals.

What Actually Works Instead

The study’s most useful contribution may be the simplest: the fork-to-star ratio. A star is a low-commitment click; a fork represents intent to actually use or modify code. Organic projects like Flask and LangChain show fork-to-star ratios of 0.09 to 0.24. Manipulated repositories average 0.05 or lower, with extreme cases like FreeDomain (157K stars, 81.3% of stargazers with zero followers) hitting 0.001. Any repo with over 10,000 stars and a fork-to-star ratio below 0.05 warrants serious scrutiny. Package download counts from npm or PyPI, contributor diversity, commit cadence, and issue response times are all harder to fake at scale than a click on a star button. The open-source community built its reputation on meritocracy. It’s time the metrics matched that ideal.

Sources