6 Million Fake Stars: Why GitHub Sourcing in 2026 Needs a New Rubric

If your GitHub sourcing playbook still starts with stars:>50, you are not filtering for talent anymore. You are filtering for the exact threshold that a $0.03-per-star marketplace has been optimized against for two years. A peer-reviewed 2026 ICSE paper just put a number on the problem, and the number is large enough that every recruiter sourcing AI and devtools talent needs to rewrite their search strings this quarter.

What StarScout actually found

The StarScout team (CMU's Hao He, Bogdan Vasilescu, Christian Kästner, and Haoqin Yang, with NC State's Alexandros Kapravelos and Socket's Philipp Burckhardt) analyzed GHArchive data from July 2019 through December 2024. Their detector flagged roughly 6 million suspected fake stars across 18,617 repositories, generated by around 301,000 accounts. The paper was accepted at ICSE 2026 and validated against a known malware campaign, where StarScout caught 81% of the implicated repos and 76% of the accounts.

The growth curve is the part that should change how you source. Fake-star activity grew about 100x between 2022 and 2024. By July 2024, roughly 16.66% of all repositories with at least 50 stars had been touched by a fake-star campaign. That figure was essentially zero before 2022.

16.66%

The "stars>50" rule was never a great proxy. Now it is an adversarial one. Sellers like SocialPlug.io (which advertises 3.1M stars delivered to 53,000-plus clients and offers a programmatic API), Followdeh (with "non-drop" 30-day guarantees), and dozens of Fiverr gigs price stars at $0.03 to $0.85 each. They are not selling to make repos look loved. They are selling to clear the specific thresholds VCs and recruiters publicly say they filter on.

The AI category is the most polluted

This is the part technical recruiters need to internalize. AI and LLM repositories are the single largest non-malicious category receiving fake stars, with roughly 177,000 manufactured stars in that bucket alone, ahead of blockchain. That is the exact category where engineering managers are sourcing hardest in 2026.

So when you pull the stargazer list of a trending LLM repo to feed your CRM, two things go wrong at once. First, you import bot accounts as "interested candidates." Independent forensic analysis of 20 suspect repos found 36% to 76% of stargazers had zero followers and zero public repos. Second, the contributors-of-record on those repos may themselves be sockpuppets or one-commit drive-bys, because 83.9% of fake-star campaign repos are active for fewer than 10 days and show very few issues, PRs, or comments.

Why the VC playbook makes recruiters the mark

Jordan Segall at Redpoint Ventures published a benchmark across 80 devtool companies: median GitHub star count at seed is 2,850, and at Series A it is 4,980. He has also said openly that VCs "write internal scraping programs" to find fast-growing GitHub projects. That benchmark is now public knowledge for every founder considering a $0.05 star. Manufacturing the 2,850-star seed median costs roughly $85 to $285.

The published threshold is the attack surface. If your filter is famous, it is already gamed.

The result: a founder buys stars to hit the VC heuristic, the VC funds the company, the company hires aggressively on the back of the round, and recruiters source from the contributor graph of a repo whose only organic signal was the founders' own commits. A ROSS Index top-ranked project (Runa Capital's leaderboard for fastest-growing open source) was independently estimated to have around 47% suspected fake stars. The leaderboard itself is the incentive.

Theo Browne's April 2026 investigation pushed this from an academic finding into a developer-community scandal, which is useful context when you talk to engineers: they already know. They will respect a recruiter who has stopped citing star counts as a credential.

The behavioral signals that actually rank engineers

Here is the contrarian thing buried in the StarScout data. The fingerprint of a fake repo (few issues, few PRs, almost no review comments, no sustained activity) is the inverse of the fingerprint of a hireable engineer. Pivoting to behavioral signals does not just dodge the fraud. It uses the fraud's own shape as a free filter.

GitHub processes roughly 43.2M merged PRs per month. That is the right denominator. Build your sourcing rubric on the contribution graph, not the star graph.

The new rubric

A practical list of developer sourcing signals that are expensive or impossible to fake at scale:

• Merged PR cadence over 12 to 24 months, in repos with a non-trivial review process. One drive-by commit in transformers is noise. Twelve merged PRs across pytorch, langchain, and huggingface/transformers is a resume.
• Code reviews performed. Reviewing other people's code is the single hardest signal to manufacture because it requires the maintainer trust loop. The reviewed-by graph is your friend.
• Issue triage and comment tone. Read the comments. An engineer who writes clear repro steps and avoids LGTM-spam is the one you want on a call.
• Niche-language and niche-domain commits. Rust in tokio, CUDA kernels in vllm, OCaml anywhere. The pool is small, the fraud is uneconomic.
• Org membership in well-run orgs. Being listed as a member of kubernetes-sigs, pytorch, apache, or cncf working groups is gated by humans.
• Fork-to-star ratio of the repos they contribute to. Suspect repos run roughly 10x below organic fork-to-star baselines. Use this to grade the quality of the room an engineer hangs out in.

None of these signals are searchable in a single GitHub query box. That is the friction. Boolean strings like stars:>50 language:python location:berlin are easy to type and now mostly wrong. The right query is closer to "people who have merged three or more PRs into a top-50 LLM inference repo in the last 18 months, currently based in Europe, with code-review activity, not currently at a FAANG." That is a paragraph, not a string.

This is the friction we built Refolk to remove. You describe the engineer in plain English, including the behavioral filters above, and get a ranked shortlist drawn from GitHub, LinkedIn, and the open web. The point is not "AI sourcing"; the point is that the right query in 2026 is too long for a search box, and the right signal is in PR graphs and review threads, not in star counts.

What to delete from your search strings this week

Three concrete changes for engineer sourcing without stars:

1. Drop stars:>N from every saved search. Replace it with constraints on the repo's activity (open PR count, merged PR velocity, contributor count above some floor) rather than its popularity.
2. Stop importing stargazer lists into your CRM raw. If you must use them, filter for accounts with a minimum follower count, an account age over 12 months, and at least one public contribution in the last 6 months. The StarScout deletion-ratio data (flagged accounts deleted at up to 90%, roughly 16x the random baseline) tells you these filters work.
3. Re-rank your existing pipeline. Pull the GitHub handles you already have and re-score them on merged PRs and reviews performed, not on personal repo stars. You will be surprised which "B-tier" candidates jump.

The 82% problem you still have to solve

GitHub's own Octoverse data says roughly 82% of contributions happen in private repos. TypeScript just overtook Python as the #1 contributor language (up 66.6% year over year), and more than 36.2M new engineers joined GitHub in 2025. The public surface is simultaneously bigger and thinner: more profiles, less signal per profile, and now manufactured noise on top.

You cannot solve the 82% private-contribution gap from inside GitHub alone. You triangulate. Package registry presence (npm, PyPI, crates.io maintainer status, with the caveat that download counts are also gamed), conference talk history (PyData, KubeCon, NeurIPS workshops), Discord and Slack moderator roles in well-known OSS communities, and review-graph centrality in the public repos they do touch. This is exactly the kind of cross-source query that breaks Boolean tools and where Refolk's plain-English approach pays for itself: "engineer who maintains a published Rust crate with >10k downloads, has spoken at a Rust conference, and contributes to the tokio ecosystem" is a sentence, not a search string.

The market is wide open for whoever moves first

If you accept the StarScout numbers, the implication for github recruiting in 2026 is bracing. Roughly one in six "credible" public AI repos has manufactured social proof. Most published sourcing guides still tell recruiters to use exactly the filter the fraud is optimized against. The recruiters who quietly switch to PR-merge cadence, review density, and niche-domain commits will out-source the ones still pasting stars:>100 for at least another 12 months, because the published heuristic is sticky.

Stars were always a vanity metric. They just used to correlate with something. They no longer do. Source the contribution graph.

FAQ

Are all GitHub stars fake now?

No. The StarScout finding is that roughly 16.66% of repos with 50+ stars have been touched by a fake-star campaign, not that 16.66% of all stars are fake. Most stars on long-lived, deeply-reviewed repos like kubernetes, pytorch, or transformers are organic. The problem is concentrated in newer AI and devtools repos in the 50 to ~5,000 star band, which is exactly the band recruiters and VCs love. Treat stars as weak supporting evidence, never as a primary filter.

What is the single best behavioral signal to replace stars?

Merged PRs into well-reviewed repositories over a 12 to 24 month window, weighted by the size and seriousness of the review process. A single merged PR into pytorch or kubernetes is worth more signal than 200 stars on a personal project. After that, reviews performed are the next-best signal because reviewing requires earned maintainer trust, which is the hardest thing on GitHub to fake at scale.

How do I avoid importing bot stargazers into my ATS?

Stop pulling raw stargazer lists. If you must, filter every account for three things: account age over 12 months, at least 1 follower, and at least 1 public contribution in the last 6 months. StarScout found flagged accounts had deletion ratios up to 90%, roughly 16x baseline, so these filters work cheaply. Better still, source from the contributor list (people who have merged PRs) rather than the stargazer list of any repo you care about.

Does this change how I should talk to engineering candidates?

Yes. Engineers know about the fake-star economy; Theo Browne's coverage and the ICSE paper made it common knowledge in spring 2026. Citing a candidate's personal repo star count in an outreach message now reads as naive. Citing a specific merged PR, a review they left on someone else's PR, or a thoughtful issue comment reads as someone who actually looked. The bar for first-message specificity in github recruiting just went up.