GitHub's fake star economy

I do it all the time, whenever there are competing libraries to choose among.

It's a heuristic that saves me time.

If one library has 1,000 stars and the other has 15, I'm going to default to the 1,000 stars.

I also look at download count and release frequency. Basically I don't want to use some obscure dependency for something critical.

To be honest, these days I have more faith in an application or library with a moderate development pace where maybe the last commit wasn't 2 seconds ago co-authored by claude (in the most blatant examples).

The same is true for amount of commits, the type of commits, release cadence and the amount of fixes and hotfixes in releases. I don't feel like being a glorified alpha tester so I look for maturity in a project.

Which more often than not means that, yes there needs be activity. But, it is also fine if it was two days ago and there is a clear sign of the same pattern over a longer period. Combined with a stable release cycle, sane versioning and clear changelogs that aren't just a list of the last 10 commit messages.

On your point of stars, I think they used to be a valid metric in a similar category. Namely, community behind the software. But it has been a while since that has been true. It certainly hasn't been for a while, ever since I saw these star tracking graphs pop up on repos I knew that there was no sense in paying attention to them anymore.

For example, let’s say I want to run some piece of software that I’ve heard about, and let’s say I trust that the software isn’t malware because of its reputation.

Most of the time, I’d be installing the software from somewhere that’s not GitHub. A lot of package managers will let anyone upload malware with a name that’s very similar to the software I’m looking for, designed to fool people like me. I need to defend against that. If I can find a GitHub repo that has a ton of stars, I can generally assume that it’s the software I’m looking for, and not a fake imitator, and I can therefore trust the installation instructions in its readme.

Except this is also not 100% safe, because as mentioned in TFA, stars can be bought.

It’s a bloom filter of sorts for finding the right library.

https://en.wikiquote.org/wiki/Napoleon

I do.

I don't review the whole repo, but every single time I update dep versions, I always look at the full diff between the two. It doesn't take that long

You might not have but the makers of dependencies that you use might so still problematic.

Same here. I've starred over 1500 projects on Github over the years, and only because I wanted to save them for later use or as a reference for something I was working on. These days I'll occasionally use the star metric as a signal to avoid certain projects as overhyped (especially if the project has a stars-per-day meter).

* Most recent commit

* Total number of commits

This might have to die in the era of AI, but it's served me well for a long time. Rather than how many people are paying attention, it tries to measure the effort put in.

It's only not meaningful because of how other people can game it and fabricate it, but everything you just said, if it was only people like you, that would be a very meaningful number.

It doesn't even matter why you bookmarked it, and it doesn't matter that whatever the reason was, it doesn't prove the project as a whole is overall good or useful. Maybe you bookmarked it because you hate it and you want to keep track of it for reference in your ted talk about examples of all the worst stuff you hate, but really by the numbers adding up everyone's bookmarks, the more likely is that you found something interesting. It doesn't even matter what was interesting or why. The entire project could be worthless and the thing you're bookmarking was nothing more than some markdown trick in the readme. That's fine. That counts. Or it's all terrible, not a single thing of value, and the only reason to bookmark it is because it's the only thing that turned up in a search. Even that counts, because that still shows they tried to work on something no one else even tried to work on.

It's like, it doesn't matter how little a given star means, it still does mean something, and the aggregation does actually mean something, except for the fact of fakes.

Six million fake stars is just what this small crew found, likely in a matter of hours.

A fine of $53,088 times six million is 318.528 billion.

Just going hard after a small portion of that should both put an end to it and a slight dent in the deficit.

This kind of fraud is rampant because everyone concludes the way to win is not to make a real advance, but to simply game the system. Seems they are not wrong because the lack of enforcement makes the rules meaningless.

Instead I look at (in addition to the above):

1. Who is the author? Is it just some person chasing Internet clout by making tons of 'cool' libraries across different domains? Or are they someone senior working in an industry sector from which project might actually benefit in expertise?

2. Is the author working alone? Are there regular contributors? Is there an established governance structure? Is the project going to survive one person getting bored / burning out / signing an NDA / dying?

3. Is the project style over substance? Did it introduce logos, discord channels, mascots too early? Is it trying too hard to become The New Hot Thing?

4. What are the project's dependencies? Is its dependency set conservative or is it going to cause supply chain problems down the line?

5. What's the project's development cadence? Is it shipping features and breaking APIs too fast? Has it ever done a patch release or backported fixes, or does it always live at the bleeding edge?

6. NEW ARRIVAL 2026! Is the project actually carefully crafted and well designed, or is it just LLM slop? Am I about to discover that even though it's a bunch of code it doesn't actually work?

7. If the project is security critical (handles auth, public facing protocol parsing, etc.): do a deeper dive into the code.

Have an upvote. The first one is free.

https://www.xkcd.com/2899/

We've recently decided to complicate life of AI bots in our repo https://archestra.ai/blog/only-responsible-ai, hoping they will just choose those AI startups who are easier to engage with.

https://en.wikipedia.org/wiki/Goodhart's_law

It's a bit like the old article about evaluating software companies on whether they have version control or not. Everyone has version control now.

The entire game of startup investing is to identify breakout companies early. Social proof (when valid, not faked) of interest is one of the strongest signals of product market fit.

If a product has a lot of attention (users, headlines, stars, downloads, DAU) that’s a signal that it could also have a lot of customers some day. This is also why all of those metrics are targets for manipulation.

> This would be like an NFL team drafting a quarterback based on how many instagram followers they have

Major sports team are about engaging fans. If a promising recruit had a huge social media presence then that could be a contributing factor toward trying to recruit that player.

This is actually easier to understand if you look at the inverse: Some times there are players with amazing stats but who have a cloud of controversy following them. Teams will skip over these problematic players despite their performance because having popular and engaging players is important for teams but having anti-popular players will drive away fans.

Over here the fans would be singing "You're getting sacked in the morning" halfway through that first season.

I guess not having relegation makes things slightly less ruthless for you.

It’s not that they’re necessarily careless, it’s just that the bigger the net the more fish you catch. And when you own both all the fishing boats and all the nets…might as well cast wide.

And once it gets out that it’s a selection criteria it gets gamed to hell and back.

Once surfaced, there’s other signals to filter if an initial conversation is even worth it.

Assuming everyone else is just stupid and it’s all luck is a good way to hold yourself back from your potential.

Not quite the same, but the New York Jets (one of the few NFL teams that can match the dysfunction of the Browns — they have the longest active playoff drought in big 4 North American sports) passed on a few successful players because the owner, Woody Johnson, reportedly didn't like their Madden (video game) ratings [0]:

> A few weeks later, Douglas and his Broncos counterpart, George Paton, were deep in negotiations for a trade that would have sent Jeudy to the Jets and given future Hall of Fame quarterback Aaron Rodgers another potential playmaker. The Broncos felt a deal was near. Then, abruptly, it all fell apart. In Denver’s executive offices, they couldn’t believe the reason why.

> Douglas told the Broncos that Johnson didn’t want to make the trade because the owner felt Jeudy’s player rating in “Madden NFL,” the popular video game, wasn’t high enough, according to multiple league sources. The Broncos ultimately traded the receiver to the Cleveland Browns. Last Sunday, Jeudy crossed the 1,000-yard receiving mark for the first time in his career.

...

> Johnson’s reference to Jeudy’s “Madden” rating was, to some in the Jets’ organization, a sign of Brick and Jack’s influence. Another example came when Johnson pushed back on signing free-agent guard John Simpson due to a lackluster “awareness” rating in Madden. The Jets signed Simpson anyway, and he has had a solid season: Pro Football Focus currently has him graded as the eighth-best guard in the NFL.

[0] https://www.nytimes.com/athletic/6005172/2024/12/19/woody-jo...

sounds like how the ufc does it

Union Labs is the most consequential case. It was ranked #1 on Runa Capital's ROSS Index for Q2 2025 - a widely cited VC industry report identifying the "hottest open-source startups" - with 54.2x star growth and 74,300 stars. Our analysis found 32.7% zero-repo accounts, 52% zero-follower accounts, and a fork-to-star ratio of 0.052. The StarScout analysis flagged it with 47.4% suspected fake stars. An influential investment-sourcing report that VCs rely on was topped by a project with nearly half its stars suspected as artificial.

Record labels did this with soundcloud or only picking up people who already had a following. Movies have done this repeatedly with adaptation (due respect to people who like their books remade faithfully, there's a reason the 70's/80's were that decade and it basically stopped once Comics/LotR arrived). A24 represents a disruption, not a normal studio. Books did this with webnovels or paying dirt cheap and making the Author market.

What people tend to forget is they're just resource gatekeepers. They could just choose to invest in offices with cats because an office with cats popped massively one time and you can't say they're wrong, because there's no alternative funding you can get to A/B test with. In theory there are different firms - but they often went to the same schools, same peer group, same fraternity/sororities, and once they're in the wild they all know each other. It's not a different behavior if it's VC or if it's Nashville.

The real question is how long before either governmental-busting or someone notices the lack of care with money and shops alternatives. In theory this is also partially why American firms face international risk - lacking people respecting their laziness, someone can break their model.

That said - I'm not saying they're not smart - just that often there's a tendency to delude that shortcuts taken represent a "good job" rather than "no one can really say we're doing it poorly".

Nevertheless, VCs are in fact pretty dumb sometimes and it'd be stupid to invest soley based on stars.

The only claim here is that there’s a report that tracks GitHub star growth that is that is presumably read by VCs:

>> Union Labs is the most consequential case. It was ranked #1 on Runa Capital's ROSS Index for Q2 2025 - a widely cited VC industry report identifying the "hottest open-source startups" - with 54.2x star growth and 74,300 stars. Our analysis found 32.7% zero-repo accounts, 52% zero-follower accounts, and a fork-to-star ratio of 0.052. The StarScout analysis flagged it with 47.4% suspected fake stars. An influential investment-sourcing report that VCs rely on was topped by a project with nearly half its stars suspected as artificial.

Again, the claim here is that the report is “influential”. Maybe?

- VCs definitely cared about our Stars, especially in early stages, but not as our primary metric. I suppose Stars might be the primary metric if they're truly off the charts, but usually they're just one of many social proof signals an investor might look at.

- Investors, especially at the earliest stages, are quite a varied bunch. Some were diligent about looking at who was leaving Stars on the repo (i.e. are these accounts fake/do they belong to potential future customers). Some less so. This is true for basically every metric (see: startups that grossly misreport ARR)

- Fake GitHub stars were a thing way before 2022. I'd have to look in more detail at the methodology here, but I'd question any analysis that finds that paying for GitHub Stars (or any social following kind of metric) is a strictly post-2022 thing. Any metric that can be construed as social proof will immediately have its own grifter economy. Investors know this and (mostly) do their diligence.

Finally, showing numbers is hard for an early stage open source startup. At later stages, you should be able to show an actual business with typical metrics, but at the seed stage you often just have a repo and a website. Your goal is just to get a lot of people using your software. You can add telemetry to track that, but that's a thorny decision. GitHub Stars aren't a terrible proxy for popularity, provided that you audit the quality of the following. A project with a lot of organic stars and forks is, at the very least, a project that a lot of people are familiar with.

I'm not saying that GitHub Stars aren't wildly overvalued or gamed, but contextualized properly, they're a reasonable metric to consider, particularly at earlier stages. Most investors aren't just throwing millions at random repositories with 20k Stars from obviously spam accounts.

The market is completely flooded and promotors cannot practically sift through the sheer volume of mixes published online -- so they go by Internet points instead.

Github stars used to really mean something. Having 1k+ was considered a stable, mature library being used in prod by thousands of people. At 10k+ you were a top level open source project. Now they've been gamed by the dead internet just like everything else, and it's depressing as hell.

I agree it's idiotic; I'm quite confident that it wouldn't be that hard to cheat this system, and even if there absolutely no way to cheat the system, it's not like Hacker News points translate to smartness; my most upvoted posts have basically nothing to do with software engineering.

I believe that is how they made the final decision on Watson over Mayfield. Oh, wait, I don't think anything can explain that decision.

Also from Cleveland.

Go Guardians! Go Cavs!

If you want to make it as an actor today, you need a social media following [1]. It is directly relevant to you getting cast. It also helps you connect with other actors, with producers and directors, etc.

Thing is, this isn't new. before social media, your influence was measured in "tear sheets" [2], basically any published story that you're in. This could be something as simple as going to Cannes or Sundance or even just to the hottest club.

Sports also uses a points system (kind of) but it's meant to reflect ability. Take the NFL, for example. Going from high school to college and college to the NFL, you will have stats relevant to whatever position(s) you play. For a QB it's things like interceptions, passing years, running yards, completed throw percentages, etc. You then have the NFL Combine [3]. This is an intensive camp where certain metrics are taken like how much you can lift, 40 yard dash, etc.

All of this tries to make it a science, or at least quantitative. But what I find funny is that despite all this work, it can still fail spectacularly. Like, being the #1 draft pick for the NFL is kind of a curse [4].

And then there's Tom Brady. For people unfamiliar with American sportsball, Tom Brady is arguably the greatest quarterback in the game's history, having 7 Superbowl rings. Thing is, he was a 6th round draft pick in the 2000 NFL draft. For anyone not familiar with what that means, 6th (and especially 7th) round draft picks are like the bottom of the barrel. You're not expected to take a starting position. You may not even play unless 1-2 people get injured. Nobody expects you to be a great.

[1]: https://www.backstage.com/magazine/article/social-media-acto...

[2]: https://avenueagency.wordpress.com/tag/tear-sheet

[3]: https://www.nfl.com/combine

[4]: https://www.si.com/more-sports/2011/01/13/sportscasting-exce...

It's purely incentives. Heavy competition for early signal identification has pushed them to crappier and crappier indicators.

Yes actually

Needless to say they didn’t like when I said this was a worthless metric and we needed to be using something like “working policies” or “time saved training”

I have personally seen several company CEOs (that were billionaires!) do this in different ways. Sometimes hiring people because of it.

Imagine you're choosing between 3 different alternatives, and each is 100,000 LOC. Is 'reading the code' really an option? You need a proxy.

Stars isn't a good one because it's an untrusted source. Something like a referral would be much better, but in a space where your network doesn't have much knowledge a proxy like stars is the only option.

(Sometimes still is, but the agents garbage does not help)

They don't.

I've helped with due diligence on a couple projects. VCs know that metrics can be gamed because they see it all the time. Stars, followers, views, clicks, likes. A portion of entrepreneurs have been gaming every metric since before you and I learned how to program. It has always been this way and always will.

Most of the VC-related comments have interpreted this article to mean that VCs are so dumb that they haven't realized that stars can be faked, but in reality VCs spend so much time sorting through fake metrics that they understand this probably better than most here.

If you've ever gone through due diligence for an acquisition or big investment round it's amazing how much work you have to do in order to prove that your metrics are real. When things got crazy after COVID there was a short time when VCs were trying to move so fast that they skipped this, but it resulted in some high profile fraud cases.

During normal times, you will get grilled on metrics. They might see stars as a signal for rising stars, but they're not throwing money at projects based on star count like many commenters assume. They will do a deeper dive before investing and they will call it off if things aren't adding up. The amount of diligence scales with the investment, so someone getting a $10K check can get away with a lot of fraud but that $2mm funding round isn't going to cross the finish line based on star count.

The fake accounts often star my old repos to look like real users. They are usually very sketchy if you think for a minute, for example starring 5,000 projects in a month and no other GitHub activity. One time I found a GitHub Sponsor ring, which must be a money laundering / stolen credit cards thing?

Even 10 years ago most VCs we spoke to had wisened up and discarded Github stars as a vanity metric.

one VC told me, you'll get more funding and upvotes if u don't put "india" in your username.

Founders need the ability to get traction, so if a VC gets a pitch and the project's repo has 0 stars, that's a strong signal that this specific team is just not able to put themselves out there, or that what they're making doesn't resonate with anyone.

When I mentioned that a small feature I shared got 3k views when I just mentioned it on Reddit, then investors' ears perked right up and I bet you're thinking "I wonder what that is, I'd like to see that!" People like to see things that are popular.

By the way, congrats on 200 stars on your project, I think that is definitely a solid indicator of interest and quality, and I doubt investors would ignore it.

I think VCs just know that there are no reliable systems, so they go with whatever's used.

In general, I’ve been dissatisfied with GitHub’s code search. It would be nice to see innovation here.

You'd want to discard a lot of the noise in the bottom 20% of linking power. You want to focus more on the 'trust' factor.

Finding any curse words in hidden comments in the commit history is for me a good indication of a human working on a passion project, though ymmv.

And there are always exceptions to the exception of the exceptions.

I'm not supporting this view but it is what it is unfortunately.

VCs that invest based on stars do know something I guess or they are just bad investors.

IMO using projects based on start count is terrible engineering practice.

Surely a project's popularity is often related to its utility. A useful and popular project seems like exactly the kind of thing a VC might be interested in.

Unfortunately I still look at them, too, out of habit: The project or repo's star count _was_ a first filter in the past, and we must keep in mind it no longer is.

> Good reminder that everything gets gamed given the incentives.

Also known as Goodhart's law [1]: "When a measure becomes a target, it ceases to be a good measure".

Essentially, VCs screwed this one up for the rest of us, I think?

[1] https://en.wikipedia.org/wiki/Goodhart%27s_law

Specifically if those avatars are cute animie girls.

https://github.com/karakeep-app/karakeep

Sounds useful.

I’ll star it and check it out later ;)

Is he really? I’ve only heard of him because HN is obsessed with his “AI” takes. Is he really that popular outside of this bubble?

I measure my own projects by the enjoyment I got out of them. No sense in chasing validation from others when ones only metric will forever be what’s in their own control.

For Microsoft this is another kind of sunk cost, so idk how much incentive they have to fix this situation.