TrustStarTrustStar
Transparency

How TrustStar Works

Every scoring algorithm is open source and auditable. The full methodology is documented below — read the code, verify the math, report disagreements.

View on GitHubTry an Analysis
The problem

Why trust matters

Open source reputation signals are routinely manipulated. Developers need a way to verify what they see.

6,000,000
Fake Stars — confirmed by peer-reviewed research

A Carnegie Mellon University study (ICSE 2026) identified 6 million suspected fake stars across 18,617 repositories using 301,000 accounts. By July 2024, 16.66% of repos with 50+ stars were involved in fake star campaigns.

$0.03–$0.85
Per star — sold openly on a dozen platforms

Fake stars are sold on Fiverr gigs, Telegram channels, and dedicated websites. SocialPlug alone claims 3.1 million stars delivered to 53,000 clients.

78 repos
Reached GitHub Trending via purchased stars

78 repositories made it onto GitHub Trending with manufactured star counts, gaming the platform's own discovery pipeline and misleading thousands of developers.

+742%
Supply Chain Attacks since 2019

Supply chain attacks on open source packages have increased 742% since 2019. A single malicious dependency can compromise thousands of downstream projects.

The engines

Three engines, one trust verdict

Each engine runs independently and produces its own score. Results are fully transparent — you can see exactly which signals drove each finding.

Trust Score

Analyzes GitHub repositories to detect fake star campaigns and assess the authenticity of a project's community. Examines up to 500 stargazer profiles across time-distributed samples.

How we score it
Account Quality26%Profile completeness of sampled stargazers: account age, public repos, followers, avatar, lockstep patterns
Temporal Behavior23%Star velocity anomalies, burst detection, Z-score peaks, time-window concentration
Project Health26%Fork/star ratio, commit cadence, active contributors, issue resolution rate
Authenticity25%Low-activity disposable accounts, coordinated starring (lockstep), burst months dominated by suspicious accounts
Labels
SAFEscore ≥ 70 + all checks pass
CAUTIONmixed signals or authenticity override
SUSPICIOUSsignificant anomalies
DANGEROUSscore < 30 or critical anomalies
NEW< 50 stars
Labels can be overridden by critical metrics. A repo scoring 75 can still be labeled CAUTIONif 40%+ of its stargazers have zero followers — because numbers don't lie.

npm Check

Cross-references npm download counts with GitHub stars, maintainer count, release history, and install scripts to surface inconsistencies between popularity signals.

Signal types
PositiveDownloads above 10k/week, age over 2 years, multiple maintainers, linked GitHub repo, 10+ versions
NeutralLow download volume, single maintainer, no linked repo, published over a year ago
Warning100k+ downloads but under 50 stars and 10 forks, install scripts detected, very new package with high downloads

Thresholds are conservative — in case of doubt, signals default to Neutral rather than Warning.

Code Scan

Static security analysis of up to 50 source files, fetched shallow-first to maximize coverage of the most likely attack surface. Analyzes .ts, .js, .py, and .sh files.

What we detect
NetworkHardcoded non-loopback IPs, unknown domains, dynamic URL construction
FilesystemAccess to ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd, /etc/shadow
Executioneval(), new Function(), exec() and spawn() with dynamic arguments
Obfuscationeval(atob()), long base64 strings (>200 chars), hex-escape flooding, fromCharCode chains, hardcoded PEM keys
DependenciesUnpinned versions, typosquatting via edit distance ≤ 2
Severity penalties
CRITICAL-25 pts
HIGH-15 pts
MEDIUM-8 pts
LOW-3 pts
INFO0 pts
Positioning

How TrustStar compares

TrustStar is not a replacement for Socket or Snyk. It's the quick trust check you do before npm install. 5 seconds to know if a repo is legit.

TrustStarOpenSSF ScorecardSocketStarForensic
Fake star detection✓ Full (4 dimensions)Stars only
npm consistency check
Code scanPartial✓ Deep
Free & open source✓ MITFreemiumFree
No account required
Badge for README
API access✓ FreePaid

Socket and Snyk do deep vulnerability scanning and malware detection. TrustStar is complementary — the quick legitimacy check before you invest time in a deeper audit.

Limitations

Honest about our limits

TrustStar does not replace a full security audit. Here is what it cannot detect:

  • SQL injection, XSS, NoSQL injection, and SSTI — these require AST-level data-flow analysis, which TrustStar does not perform.
  • Code in files beyond the 50-file scan limit — large repos with deep directory trees may have vulnerable code in paths that were not fetched.
  • PHP, Ruby, Java, and Go backends — only .ts, .js, .py, and .sh files are analyzed. A PHP app is analyzed only on its JavaScript glue code.
  • Multi-line PEM private keys stored with real embedded newlines — single-line escape sequences (\r\n) are detected; actual newlines in string literals are not.
  • Transitive dependencies — only direct entries in package.json or requirements.txt are checked.

For deeper audits, use TrustStar alongside Snyk, Socket.dev, and npm audit.

Reliability

Tested and measured

Each engine is validated against a fixed benchmark of real-world repositories and packages, run multiple times for consistency.

100%
Trust Score
29-repo benchmark
100%
npm Check
45-package benchmark
94%
Code Scan
19 repos, 8 iterations
Research

Built on peer-reviewed research

TrustStar's Authenticity engine is grounded in peer-reviewed research by He, Yang, Burckhardt, Kapravelos, Vasilescu, and Kästner, from Carnegie Mellon University, North Carolina State University, and Socket Inc., published at ICSE 2026 — the top academic venue for software engineering.

The research analyzed 20 terabytes of GitHub metadata — 6.7 billion events and 326 million stars from 2019 to 2024. Their findings:

  • 6 million suspected fake stars across 18,617 repositories
  • 301,000 accounts involved in fake star campaigns
  • 90.42% of flagged repos were later deleted by GitHub, confirming detection accuracy
  • AI/LLM repositories are the largest non-malicious category of fake star recipients

TrustStar implements two key signatures from this research:

  • 1.Low Activity Signature — detecting disposable accounts created solely for starring, with no public repos, no followers, and no activity beyond the starring event.
  • 2.Lockstep Signature — detecting coordinated groups of accounts that star the same repositories in tight time windows (adapted from the CopyCatch algorithm by Facebook).

Additionally, TrustStar adds stratified burst-month sampling for large repositories (5K+ stars), targeting the time periods where fake star campaigns concentrate their activity.

He, Yang, Burckhardt, Kapravelos, Vasilescu, and Kästner. “Six Million (Suspected) Fake Stars on GitHub: A Growing Spiral of Popularity Contests, Spam, and Malware.” ICSE 2026. arxiv.org/abs/2412.13459
Contact

Get in touch

Questions, feedback, or want to report a scoring issue? We read every message.

support@truststar.co
This will open your default email app pre-filled with your message.