On GitHub, You Can Buy Credibility for Less Than $300. And Some People Are Doing It to Collect Millions from Investors

GitHub stars were born as a simple and honest tool: you save a repository because you find it useful or interesting, and that star becomes a signal for everyone else who comes after you. One of those passive indicators that, precisely because nobody had an interest in manipulating them, had remained reliable for years. Then investment funds started using them as a scouting metric. And from that moment, the market responded the way markets always respond when a metric becomes a goal: by finding a way to fake it.

A peer-reviewed study presented at the ICSE 2026 conference by researchers from Carnegie Mellon University, North Carolina State University, and Socket has put precise numbers on what until recently was considered a niche practice. The result is uncomfortable: 6 million fake stars on GitHub, distributed across 18,617 repositories, generated by approximately 301,000 bot accounts. A parallel industry selling technical credibility to those who want to raise capital from investors using stars as a validation signal.

The mechanism is more accessible than one might imagine. You don't need the dark web, you don't need to know hackers, you don't even need to do anything particularly complicated. All it takes is about a dozen specialized sites, Fiverr, or dedicated Telegram channels. The price of a star ranges between $0.03 and $0.90 depending on the volume, the quality of the accounts providing it, and the delivery speed.

The math is quick. To simulate credible seed round traction—the threshold many VCs use as a signal of early interest—it takes between $85 and $285. For a round of $1-10 million, the potential ROI is theoretically up to 117,000x. It is likely the best return on investment available in the startup marketing landscape, with the small detail that it is fraud.

CMU researchers developed a tool called StarScout to identify anomalous starring behavior on a large scale. The analysis covered 20 terabytes of GitHub metadata—6.7 billion events and 326 million stars between 2019 and 2024. StarScout identifies two distinct signatures of fraud: the "low activity signature," phantom accounts with zero repositories and zero followers that exist only to distribute stars, and the "lockstep signature," bot networks that star repositories in coordinated and synchronized bursts.

The study's numbers are hard to ignore. As of July 2024, 16.66% of all repositories with 50 or more stars were involved in fake star campaigns—starting from almost zero before 2022. in four years, what was a marginal phenomenon has become structural: one out of every six repositories with a significant presence on GitHub could have its popularity artificially inflated.

The most affected category among non-malicious projects is AI/LLM, which even surpasses blockchain and cryptocurrency projects in absolute fake star volume—177,000 false stars identified in this segment alone. The study notes that many of these are repositories for academic papers or startup products linked to language models—exactly the category where investors are looking for the next interesting projects and where the pressure to demonstrate rapid traction is higher today than in any other tech sector.

There is a structural reason why GitHub stars have become such a tempting target. In recent years, a generation of early-stage funds has automated technical scouting: scrapers monitoring fast-growing repositories, trending rankings by language, alerts on new libraries receiving hundreds of stars in a few days. When a VC decides whether to answer a cold email by first looking at the founder's GitHub profile, the number next to the star icon becomes a proxy for technical reputation. And every reputation proxy, sooner or later, ends up being monetized by someone willing to sell it.

The problem, from the dishonest founder's perspective, is that the perceived risk is extremely low. GitHub periodically removes clearly fraudulent accounts, but the banning is reactive and late: it comes months later, when the round has already been closed and the stars have done their job. There is no regulation, no specific legal sanction, and no—for now—established due diligence practice that includes forensic star analysis before signing a term sheet.

For investors, the practical consequence is simple: stop treating GitHub stars as a reliable metric. This doesn't mean ignoring them entirely, but rather considering them at most a weak signal to be verified, not a validation in itself. The hardest signals to fake remain the same as always—active forks with real commits, issues opened by diverse users rather than linked accounts, external contributors with a history on other projects, citations in third-party product documentation, organic traffic to the repository.

For honest founders, the consequence is less pleasant: the background noise created by fraud makes it harder to get noticed while playing fair. A startup that grows slowly but genuinely today competes on the same trending page as startups that bought 5,000 stars in two weeks. As long as investors continue to look at absolute numbers without verifying quality, the pressure to participate in the gray market of stars will continue to grow.

For GitHub, the problem is existential in the medium term. The platform owes its centrality in the open-source ecosystem precisely to the trust that developers, companies, and investors place in its social signals. If those signals become systematically unreliable, GitHub loses part of the strategic value that made it the default infrastructure of world software. Tools like StarScout, developed externally, show that detection is technically possible on a large scale. The question is how quickly GitHub will decide to integrate similar logic into its own platform—and how willing it will be to be aggressive in removing compromised repositories and accounts, even when they belong to large and visible companies.

The ICSE 2026 study is not the first to document the phenomenon, but it is probably the one that frames it most rigorously and on the largest scale. Its publication marks the moment when the fake star market stops being a Twitter anecdote and becomes verified data, with replicable methodology and shared numbers. It is the kind of evidence that changes how investors, founders, and platforms will have to look at a metric they have taken for granted for too long.

The broader lesson is the already known Goodhart's Law: when a measure becomes a goal, it ceases to be a good measure. GitHub stars worked as long as no one had an economic reason to manipulate them. The moment they became currency in the race for funding, it was inevitable that someone would open a mint. The real cost is not economic, it is informational: in an ecosystem where public signals become unreliable, the quality of decisions—by those who invest, those who adopt a library, those who choose what to work on—worsens for everyone. And in a sector that has described itself for years as meritocratic, discovering how easily meritocracy can be bought for less than three hundred dollars is a wake-up call worth taking seriously.