April 20, 2026 · 7 min read
The shadow market of GitHub stars
GitHub stars became a high-visibility traction signal for open-source startups, and that signal is now being manipulated at scale.
Many venture founders have noticed it over the past 2 - 3 years: you need more and more GitHub stars to make an impression. What used to be impressive at 2 - 3K stars now feels almost table-stakes for seed-stage open-source startups.
Investors openly use star velocity as a proxy for hype and forks as a signal of real demand. I have seen these exact metrics highlighted in dozens of pitch decks, including at YC Demo Days. GitHub trends have become investor catnip.
But here's the uncomfortable truth: the metric is being gamed at scale.
A recent academic study analyzed GitHub star growth from 2019 - 2024 and uncovered millions of suspected fake stars across thousands of repositories. The practice used to be limited to obvious scam projects (warez, phishing tools, crypto bots, malicious forks). Stars served as cheap social proof: slap 5K stars on a repo and people download first, ask questions later.
Since 2022 everything changed. Volume exploded, peaking in 2024. The new kings of fake-star farming? AI/LLM projects, overtaking even blockchain startups. Perfect storm: extreme hype plus investors who literally count stars.
Result? Roughly one in every six fast-growing open-source projects now shows signs of artificial inflation. One top-ranked project in the respected ROSS Index reportedly had about 47% suspicious stars.
How the market actually works
It's not hidden in some dark corner of the internet. The entire ecosystem is shockingly open.
Price per fake star: $0.03 to $0.85.
A believable seed-stage traction package (2 - 3K stars) costs a few hundred dollars. Series A level (about 5K stars) is still under a couple of thousand. Cheap enough that it is basically table stakes for some founders chasing hype.
The fake accounts are scarily good: realistic avatars, bios, and activity history. But 60% or more of them have one tell: their entire existence is basically star farming. Premium tier exists too: five-year-old accounts with real commit history plus Arctic Code Vault badge go for about $5K each and are used for ultra-high-stakes clients who want maximum credibility.
And it does not stop at stars. npm downloads are inflated via AWS Lambda scripts. VS Code extension installs are botted. Public metrics are easy to manipulate, hard to verify, and heavily influence funding decisions.
There is even a dark flip side: competitors or trolls can buy stars for your repo and then accuse you of manipulation. There is currently zero reliable defense against that attack.
- Dedicated websites
- Fiverr gigs
- Telegram channels
- Star-exchange marketplaces
How to cut through the noise
Smart investors already moved on. Bessemer Venture Partners (one of the top-tier firms) publicly calls stars a vanity metric and instead looks at unique monthly contributors (people who opened issues, submitted PRs, or made commits). Their threshold of 250+ per month filters out noise while still capturing almost all genuinely popular projects.
Quick external checks you can do yourself:
GitHub fights back with periodic ban waves (stars drop overnight on inflated repos), but the fraud industry adapts faster than the platform can detect it.
- Forks-to-stars ratio: healthy projects usually sit at 15 - 25%. Anything below about 5% is a massive red flag.
- Watchers-to-stars: one famous example had 157K stars and only 168 watchers. That is not organic.
Regulation is coming
Since October 2024, the U.S. FTC Consumer Review Rule explicitly bans the buying and selling of fake reviews and fake social metrics. GitHub stars technically fall under the same category: they influence commercial decisions. Enforcement on open source has not hit yet, but it is probably only a matter of time.
We now live in an era where one of the most important open-source credibility signals is corrupted, yet investors continue to treat it as gospel.
The question for all of us in the ecosystem:
- How do we rebuild trust in public traction metrics?
- Should VCs de-emphasize stars entirely?
- Or is the solution better detection plus transparency?