Github secured its status as a programmer's best friend by combining tools for managing software with collaboration features that create a kind of social network for the code-literate. Its success has seen it pick up a less welcome feature of social platforms: a black market in fake engagement.
An ecosystem of online stores and chat groups openly sell GitHub stars, which users award to signal interest in a project and can be tallied to rank the most popular. For the bargain price of $6 paid in ether, the crypto token of the Ethereum blockchain, WIRED bought 50 stars for a dormant GitHub project via the straightforwardly branded site BuyGithub.com. The fake endorsements appeared in just hours.
The shady stars for sale are part of a wider black market in online engagement metrics used by coders, investors, and others in tech to highlight promising programmers and startups when deciding who to hire, work for, or invest in.
Online stores also offer upvotes for projects listed on Product Hunt, the community platform that promises to help individuals discover the next big thing in tech before everyone else, and followers and views on data science community Kaggle, where standing out can lead to job offers. The vendors appear to be aiming to tap into the ambition and perhaps desperation of people looking for a shortcut to success in an industry sometimes associated with the mantra “fake it till you make it.”
“Almost all online manipulation is some form of hijacking attention for the purpose of making money—acquiring attention and then transforming that into money or power,” says Filippo Menczer, director of Indiana University’s Observatory on Social Media. “GitHub is no different. It’s a market of attention because there are mechanisms by which people acquire notoriety and influence and reputation through how popular or how widely used their software is.”
Into the Bot-iverse
Fraser Marlow, head of growth for data orchestration startup Dagster, stumbled into the market for gaming GitHub last year after noticing that investors seemed to use stars on the platform as a signal that an open source offering had traction.
His team bought stars from two different online stores and used data gathered in the process to build a model to detect fake stars in GitHub repositories. They ran the model on Dagster’s own code repository as well as several others.
Cryptocurrency project Okcash was the worst offender: 97 percent of its 759 stars were flagged as fake by Dagster’s detector. Meanwhile only 1.6 percent of 29,435 stars were flagged as fake for Apache Airflow, an open source project that competes with Dagster. The analysis was limited to stars gained from 2022 onwards; Astronomer, the leading contributor to the Apache Airflow community, declined to comment.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty GearHow Do You Solve a Problem Like Polestar?By Carlton Reid
GearOkcash’s founder, Oktoshi San, says that his project does not care about vanity metrics—such as stars and forks—but that some community members have launched giveaways inviting people to star the project on GitHub in return for Okcash tokens.
Dagster’s findings built on earlier work, including a paper by academic researchers who identified over 63,000 accounts suspected of awarding suspect stars active on GitHub between 2015 to 2019. The findings were arrived at by analyzing data from star sellers on messaging app Telegram and Chinese messaging platforms WeChat and QQ.
“GitHub Security has been aware of the presence of fake starrers for years, and actively works to remove these from the platform,” says Jesse Geraci, the company’s online safety counsel. Geraci acknowledges it can be challenging to strike a balance between accurately removing inauthentic accounts while permitting genuine ones to operate unimpeded. “Sixty-three thousand suspected accounts may sound like a lot, but it’s a very small percentage of the more than 100 million developers building on GitHub,” Geraci says.
After Marlow’s blog post on his work tracking suspect stars, almost all the stars he paid for disappeared within a week. The stars WIRED purchased were also removed less than a month after purchasing. GitHub's anti-abuse team combines manual investigation with software techniques to identify inauthentic accounts.
“The obsession around GitHub stars I like to think was a bit of a hangover from the ZIRP bubble,” says Marlow, referring to the zero interest-rate policy that recently ended in the US. It’s inside baseball—something only VCs and firms obsess about, he says—but over the past year he’s already noticed people are putting less weight on them.
Venture investors are “hardwired” to look for fast growth in startups seeking investment, says Pratima Aiyagari, a partner at venture firm Nauta Capital. Open source projects can operate for years without generating significant revenue, she says, so investors look for other growth signals, of which GitHub stars are just one. The success of companies like business software firm Mulesoft and collaborative software development platform Gitlab has drawn strong interest into open source companies, she says. “VC money has been pouring into the space.”
To track open source startups, venture firm Runa Capital created the ROSS Index, which ranks companies by annualized growth rate of GitHub stars. It has become a widely followed benchmark for fast-growing open source products.
The index is a good predictor of whether a company will raise a round, says Konstantin Vinogradov, a general partner at Runa. Around a third of all the companies listed in the index since its launch in 2020 have raised subsequent rounds within the next 12 months, he says.
Over time, metrics can invalidate themselves, says Stuart Geiger, an assistant professor at UC San Diego. He says two “laws” attributed to social scientists sum up why: The more a metric is used in decisionmaking, the more it will be manipulated (Campbell’s law), and a metric that becomes a target ceases to be useful (Goodhart’s law).
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty GearHow Do You Solve a Problem Like Polestar?By Carlton Reid
GearThe line between smart strategy and cheating can be blurry. “If a company becomes number one on Product Hunt, they put it on their website, then maybe it will increase their conversion rate for customers,” says Vinogradov. “Is it just winning the game? Or is it a business-driven, reasonable strategy?”
Kevin Zhang, a former venture investor now building his own startup, says GitHub stars have seemed to become a target for entrepreneurs looking to impress. “I started noticing that founders were putting more star growth on their decks,” he says. “That always gives you a little bit of suspicion right? Oh, maybe it’s a little bit gamed.”
But Zhang and other investors say that while gaming a metric like stars might help a startup get a first meeting with VCs, it’s unlikely to get them a second. Investor perspectives on GitHub metrics have changed in recent years as a result of gamification and an increased understanding of the open source market, Zhang says. Good GitHub engagement is one promising signal, but it's not a bulletproof sign of success, Zhang, Vinogradov, and Aiyagari all say, with information on the founding team, market, and many other data points all considered before making an investment.
Cryptocurrency Preferred
Baddhi Shop, an online store offering inauthentic metrics, rolled out its GitHub services earlier this year. It also sells Product Hunt upvotes, as well as upvotes, followers, and views on Kaggle. When WIRED sent messages to the LinkedIn account of the site’s founder, Naga Durgarao Baddhi, responses came back claiming the business was aboveboard.
When an order comes in for GitHub stars or another metric, a team of 11 get clicking, “from different cloud devices,” Baddhi said, adding that this wasn’t spam because the shop respects each website's terms of service. GitHub is not the most popular metric-cheating offering, Baddhi added. Discord, a chat room service popular with crypto projects, gets daily purchases, and metrics for 10 other services are also popular, Baddhi says. Kellyn Slone, a spokesperson for Discord, says creating or selling fake accounts violates its terms of service, and it takes action in response, including removing users from the service.
Selling fake engagement is best known on leading social platforms such as Facebook. The emergence of a market for smaller, newer sites such as GitHub and Product Hunt could be due to mainstream platforms paying more attention to fake accounts, says Stefano Cresci, a researcher focused on disinformation, fake news, and social bots at the Institute of Informatics and Telematics, part of the National Research Council, in Pisa, Italy. Vendors may be moving to other platforms where it’s easier to stay in business, he says.
There’s also evidence that, now that life online is central to just about every area of human endeavor, online cheating occurs in even niche communities. Justin Hollander, a professor at Tufts University, near Boston, recently published research showing Twitter bots being used to try to influence urban planning. Bots were active across 21 US real estate projects, including the development of SoFi Stadium in California and mixed-use projects in Atlanta.
Most PopularThe Top New Features Coming to Apple’s iOS 18 and iPadOS 18By Julian Chokkattu CultureConfessions of a Hinge Power UserBy Jason Parham SecurityWhat You Need to Know About Grok AI and Your PrivacyBy Kate O'Flaherty GearHow Do You Solve a Problem Like Polestar?By Carlton Reid
Gear“A range of different community organizations and government agencies were using bots,” he says. “We were not able to find just one group. It seems like any entity that’s savvy and active in this space of shaping the city and being involved in these policy areas, they’re using bots.”
Menczer of Indiana University likens the widespread use of social bots and fake engagement to the effects of pollution, with junk piling up to bury what has value and quality. He expects it to get worse as technology advances. Menczer and colleagues recently found evidence of a cryptocurrency-pushing bot network on Twitter powered by ChatGPT.
“It's hard for humans and hard for software to detect fake accounts,” Menczer says. “And ChatGPT will happily create lots of fake accounts for you that are impossible to distinguish from real ones.” AI image generators are being used to generate realistic and unique fake profile pictures, says Menczer, eliminating what in the past was often a telltale way to identify fake accounts.
“It’s an arms race because social bots become smarter and smarter, more sophisticated,” Menczer says. Whatever new engagement metrics emerge for software projects, companies, or people, the scammers won’t be far behind.
Updated 10-23-2023, 3:15 pm EDT: Astronomer is the leading contributor to the Apache Airflow community, not its manager.