What's new at Socket?

Socket is launching a new "Suspicious Stars on GitHub" alert today, based on research that uncovers a growing trend of bad actors paying for stars in order to artificially inflate the popularity of their repositories on GitHub.

Over the past five years, we have detected more than 3.7 million fake GitHub stars. Repos leveraging these stars have been linked with scams, fraud, and malware. Socket now flags packages that are associated with these repositories.

Suspicious Stars on GitHub is a high-severity alert under the supply chain category, due to its potential for malicious activity. This alert gives users more visibility into the legitimacy of a software package’s star count, and flags those that may have been artificially inflated stars from bots, crowdsourcing, or other means.

Check out the alert documentation and read the announcement post for a detailed analysis of the research that surfaced 3.7 million fake GitHub stars.