Reporting Large-Scale Fake Star Campaigns to GitHub Security

[BearHuddleston]

Hello,

I recently read your research paper on fake stars in GitHub and found your work on StarScout to be highly insightful. Your findings on large-scale fake star campaigns and their implications for security are particularly concerning.

I am developing a tool called GitHubWatchdog which aims to detect suspicious repositories and users on GitHub using heuristics similar to what you’ve described in your paper. One of the key challenges I’m facing is the process for reporting mass fake stars and suspicious accounts to GitHub in an effective manner.

I have the following questions:

1. Is there an established process for reporting large-scale fake star campaigns to GitHub’s security team?
2. Have you received any official feedback from GitHub regarding your reports?
3. Does GitHub offer any automated or bulk reporting mechanism, or is reporting still done manually via GitHub Support?
4. Are there any best practices you would recommend when reporting fake stars, suspicious repositories, or bot accounts at scale?

If you have any insights or guidance on how to responsibly and efficiently report mass fake star campaigns, it would be extremely helpful.

Looking forward to your thoughts, and thanks again for your valuable research!

Cheers~
Bear Huddleston

[hehao98]

Hi there,

Thanks for reaching out! Regarding your questions:

1. We are not aware of an established process or support for large-scale reporting to GitHub security.
2. The best thing I have attempted so far is to follow-up in the email to GitHub Support (which I will get after reporting one repository) and then add the list of remaining repositories there. We didn't get any further feedback other than the standard reply of "your report has been processed…kind of stuff" at that time.
3. I am not aware of any automated mechanism. I would be happy to know if there is any.
4. I do not have any recommendations actually.

Hope my response won't get you disappointed, but I would be happy to discuss with you further if you have any thoughts or experiences to share. Thanks!

Best,
Hao

[BearHuddleston]

Thanks Hao. I have tried to mass report in one ticket of an abusive user but no follow up actions by GitHub. However, if I report an abusive user and only that user, GitHub would take action. I'm going to seek other methods such as direct contact or community. I'll report my findings to you if any.

[heathdutton]

Did you find anything @BearHuddleston

I remember reading somewhere that many of the accounts originally found were blocked. Was there communication around that, or was that just due to follow-up checks via the GH API?

[hehao98]

For the results in the ICSE paper, I did following-up checks through GH API after the reporting.

I also had a discussion with the GitHub Security team last June to inform them of this research and shared the data. I didn't receive an official update since then, but I assume they probably have done something on their own.

[BearHuddleston]

@heathdutton unfortunately, I couldn't connect with GitHub Security that was outside of traditional means (ticket system) so communication was extremely limited. As for community, I was referred back to the ticket system.

I will note that I did provide a list of 121 users for malware advertising on February 6, 2025. They're all 404 as of today.

As for the highly suspicious stargazer accounts, they're still there. Even after reporting 11 months ago.

[heathdutton]

Very interresting. Thanks for responding.