How TrustStar Works
Every scoring algorithm is open source and auditable. The full methodology is documented below — read the code, verify the math, report disagreements.
Why trust matters
Open source reputation signals are routinely manipulated. Developers need a way to verify what they see.
A Carnegie Mellon University study (ICSE 2026) identified 6 million suspected fake stars across 18,617 repositories using 301,000 accounts. By July 2024, 16.66% of repos with 50+ stars were involved in fake star campaigns.
Fake stars are sold on Fiverr gigs, Telegram channels, and dedicated websites. SocialPlug alone claims 3.1 million stars delivered to 53,000 clients.
78 repositories made it onto GitHub Trending with manufactured star counts, gaming the platform's own discovery pipeline and misleading thousands of developers.
Supply chain attacks on open source packages have increased 742% since 2019. A single malicious dependency can compromise thousands of downstream projects.
Three engines, one trust verdict
Each engine runs independently and produces its own score. Results are fully transparent — you can see exactly which signals drove each finding.
Trust Score
Analyzes GitHub repositories to detect fake star campaigns and assess the authenticity of a project's community. Examines up to 500 stargazer profiles across time-distributed samples.
| Account Quality | 26% | Profile completeness of sampled stargazers: account age, public repos, followers, avatar, lockstep patterns |
| Temporal Behavior | 23% | Star velocity anomalies, burst detection, Z-score peaks, time-window concentration |
| Project Health | 26% | Fork/star ratio, commit cadence, active contributors, issue resolution rate |
| Authenticity | 25% | Low-activity disposable accounts, coordinated starring (lockstep), burst months dominated by suspicious accounts |
npm Check
Cross-references npm download counts with GitHub stars, maintainer count, release history, and install scripts to surface inconsistencies between popularity signals.
Thresholds are conservative — in case of doubt, signals default to Neutral rather than Warning.
Code Scan
Static security analysis of up to 50 source files, fetched shallow-first to maximize coverage of the most likely attack surface. Analyzes .ts, .js, .py, and .sh files.
| Network | Hardcoded non-loopback IPs, unknown domains, dynamic URL construction |
| Filesystem | Access to ~/.ssh, ~/.aws, ~/.gnupg, /etc/passwd, /etc/shadow |
| Execution | eval(), new Function(), exec() and spawn() with dynamic arguments |
| Obfuscation | eval(atob()), long base64 strings (>200 chars), hex-escape flooding, fromCharCode chains, hardcoded PEM keys |
| Dependencies | Unpinned versions, typosquatting via edit distance ≤ 2 |
How TrustStar compares
TrustStar is not a replacement for Socket or Snyk. It's the quick trust check you do before npm install. 5 seconds to know if a repo is legit.
Socket and Snyk do deep vulnerability scanning and malware detection. TrustStar is complementary — the quick legitimacy check before you invest time in a deeper audit.
Honest about our limits
TrustStar does not replace a full security audit. Here is what it cannot detect:
- —SQL injection, XSS, NoSQL injection, and SSTI — these require AST-level data-flow analysis, which TrustStar does not perform.
- —Code in files beyond the 50-file scan limit — large repos with deep directory trees may have vulnerable code in paths that were not fetched.
- —PHP, Ruby, Java, and Go backends — only .ts, .js, .py, and .sh files are analyzed. A PHP app is analyzed only on its JavaScript glue code.
- —Multi-line PEM private keys stored with real embedded newlines — single-line escape sequences (\r\n) are detected; actual newlines in string literals are not.
- —Transitive dependencies — only direct entries in package.json or requirements.txt are checked.
For deeper audits, use TrustStar alongside Snyk, Socket.dev, and npm audit.
Tested and measured
Each engine is validated against a fixed benchmark of real-world repositories and packages, run multiple times for consistency.
Built on peer-reviewed research
TrustStar's Authenticity engine is grounded in peer-reviewed research by He, Yang, Burckhardt, Kapravelos, Vasilescu, and Kästner, from Carnegie Mellon University, North Carolina State University, and Socket Inc., published at ICSE 2026 — the top academic venue for software engineering.
The research analyzed 20 terabytes of GitHub metadata — 6.7 billion events and 326 million stars from 2019 to 2024. Their findings:
- —6 million suspected fake stars across 18,617 repositories
- —301,000 accounts involved in fake star campaigns
- —90.42% of flagged repos were later deleted by GitHub, confirming detection accuracy
- —AI/LLM repositories are the largest non-malicious category of fake star recipients
TrustStar implements two key signatures from this research:
- 1.Low Activity Signature — detecting disposable accounts created solely for starring, with no public repos, no followers, and no activity beyond the starring event.
- 2.Lockstep Signature — detecting coordinated groups of accounts that star the same repositories in tight time windows (adapted from the CopyCatch algorithm by Facebook).
Additionally, TrustStar adds stratified burst-month sampling for large repositories (5K+ stars), targeting the time periods where fake star campaigns concentrate their activity.
Get in touch
Questions, feedback, or want to report a scoring issue? We read every message.
support@truststar.co