We Scanned 100 AI Repos on GitHub. Here's What We Found.

Short summary

Researchers audited GitHub repos and discovered systematic star manipulation attacks: crypto protocols incentivizing mass-starring, typosquatting targeting drone firmware with 3× visibility of legitimate projects, and bot networks creating instant credibility. GitHub's star metric—the primary trust and discovery signal—has become a quantifiable attack surface with specific temporal fingerprints. Full reproducible methodology and dataset at truststar.co.

• •Crypto airdrops gamed GitHub by offering QUIP points per star, creating 11,300-star repos across 5 languages in 48 hours
• •Typosquats of legitimate drone firmware projects earned 3× more stars through bot attacks, showing up first in search despite zero development
• •Methodology detects artificial inflation via temporal patterns (bot clustering under 5 seconds) with 88%+ accuracy on known legitimate repos

Generated with AI, which can make mistakes.