Suspicious Star Spikes on Specific Project, Likely Linked to Malicious Bot Activity

[pilgrimlyieu]

Select Topic Area

Show & Tell

Body

TLDR; This is Shai-Hulud 2.0 Supply Chain Attack.

When I checked GitHub this morning, I noticed that my small project (pilgrimlyieu/Focust) suddenly jumped to 123 stars (it only had 1 star before). I immediately felt something was very wrong. I hadn't done any promotion, so why the sudden, massive influx of stars? Furthermore, I noticed that the timing of these stars was highly concentrated.

Initially, I clicked on a few accounts, and their activity looked quite normal; it was hard to tell if they were bot-maintained accounts just by looking. But I quickly noticed a pattern: most of them had seven or eight hundred stars, sometimes even over a thousand.

Then I randomly checked the star history of several of these accounts and found that they all had starred multiple repositories (including some seemingly random forks) belonging to the user Hrishikesh332 (Hrishikesh Yadav).

Later, I dug deeper into the star history of a few more accounts and found that multiple repositories belonging to arpitbbhayani (Arpit Bhayani) were also starred.

Earlier on, there were a small number of stars for projects by linus (Linus G Thiel) and torvalds (Linus Torvalds), but I suspect these were just chosen as camouflage due to their fame.

Going back further, the projects were more varied. I didn't notice it at first, but quickly realized that many of these repositories primarily used Rust, while others were either TypeScript, Vue, or Svelte. I clicked into a few random ones, and sure enough, they were all developed using Tauri, without exception.

This is when I understood why my small, obscure repository was included. I recently uploaded my project to tauri-apps/awesome-tauri: 🚀 Awesome Tauri Apps, Plugins and Resources. When scrolling through the list of projects, I also saw other Awesome Tauri projects listed in the star records of those suspicious accounts.

I have already opened a ticket with GitHub Support, although I'm unsure if GitHub will take action. After all, my last support ticket has been open for months without a reply.

I am documenting this to see if anyone else has had a similar experience and if there are any effective solutions.

---

Below is the Star History, showing growth at a relatively stable frequency over a short period:

pilgrimlyieu/Focust,Thu Nov 20 2025 08:47:36 GMT+0800 (China Standard Time),1
pilgrimlyieu/Focust,Wed Nov 26 2025 01:48:16 GMT+0800 (China Standard Time),8
pilgrimlyieu/Focust,Wed Nov 26 2025 01:50:08 GMT+0800 (China Standard Time),15
pilgrimlyieu/Focust,Wed Nov 26 2025 01:52:14 GMT+0800 (China Standard Time),22
pilgrimlyieu/Focust,Wed Nov 26 2025 01:53:50 GMT+0800 (China Standard Time),29
pilgrimlyieu/Focust,Wed Nov 26 2025 01:55:29 GMT+0800 (China Standard Time),36
pilgrimlyieu/Focust,Wed Nov 26 2025 01:57:07 GMT+0800 (China Standard Time),43
pilgrimlyieu/Focust,Wed Nov 26 2025 01:59:17 GMT+0800 (China Standard Time),50
pilgrimlyieu/Focust,Wed Nov 26 2025 02:00:54 GMT+0800 (China Standard Time),57
pilgrimlyieu/Focust,Wed Nov 26 2025 02:02:33 GMT+0800 (China Standard Time),64
pilgrimlyieu/Focust,Wed Nov 26 2025 02:04:35 GMT+0800 (China Standard Time),71
pilgrimlyieu/Focust,Wed Nov 26 2025 02:06:15 GMT+0800 (China Standard Time),78
pilgrimlyieu/Focust,Wed Nov 26 2025 02:08:07 GMT+0800 (China Standard Time),85
pilgrimlyieu/Focust,Wed Nov 26 2025 02:09:49 GMT+0800 (China Standard Time),92
pilgrimlyieu/Focust,Wed Nov 26 2025 02:11:36 GMT+0800 (China Standard Time),99
pilgrimlyieu/Focust,Wed Nov 26 2025 02:13:31 GMT+0800 (China Standard Time),106
pilgrimlyieu/Focust,Wed Nov 26 2025 02:15:11 GMT+0800 (China Standard Time),113
pilgrimlyieu/Focust,Wed Nov 26 2025 11:27:27 GMT+0800 (China Standard Time),122

Now the count is only 121, as two stars have been removed. I now think it's possible that these accounts are indeed legitimate, but their tokens were leaked and exploited by malicious actors. Therefore, I urge everyone to keep their tokens secure.

I have discovered further characteristic some accounts have:

• The repository descriptions of some users contain the phrase F**K Guillermo, F**K VERCEL --multi.
• Additionally, the repository READMEs for these accounts were recently altered (in commits just a few hours ago) to display an advertisement: Free AI at *** (The real link has been masked).
  • These commits have been forced pushed with "Linus"'s commit to cover up. You can still check it from GitHub Repository Activity. Here's an example: https://github.com/kelvinyrb/inertia/compare/1868e4315cb3aacba800a04838d0d0e11688fd38...2df83a0290fbd737f3c25755b9668383e45d6515

UPDATE: Read Sha1-Hulud 2.0 Supply Chain Attack: 25K+ Repos Exposed | Wiz Blog

[Raphiiko]

Similar thing here, my repository (that too is listed on awesome-tauri) gained around a hundred stars in a very short period of time, which seemed very suspicious.

[pilgrimlyieu]

UPDATE

I continued scrolling past this point, and the subsequent items were outside the Tauri ecosystem, though I vaguely remember FastAPI. I'm now trying to see if there are any new characteristics, but it might be difficult here, especially since the "victim" might already have some stars.

Based on the user's star list above, the last Tauri project is Kaas, and the first project that is no longer Tauri is piccolo admin. This project's main languages are Python and Vue, so I searched Awesome Python and Awesome Vue, but found nothing.

However, I quickly had a flash of inspiration and checked the README. It indeed used FastAPI, so I then searched Awesome FastAPI. Unsurprisingly, it was listed there.

But then a new item appeared. The last one that satisfied the pattern was FastAPI with Observability, and the new one was Azure AI-900 Exam Notes / Preparation Repository. I initially couldn't find any specific characteristic for this one, thinking it might have been there originally, but a second item I found also had it.

Since I couldn't find any features for this project, I directly copied the name + "Awesome" and searched on GitHub, but found nothing. Removing "Awesome" still didn't lead to any possible "list." So I gave up on that and decided to see what the first "suspicious" project was. However, this might be difficult because the star order is not perfectly consistent.

Upon further review, the characteristic of this project might be that the owner is anxkhn (Anas Khan), similar to the first two users, and it includes a few other repositories from this user.

Hmm... I wonder if it's a coincidence, but I checked, and these three users seem to be Indian? I saw the word "Mumbai" on the first user's X profile, and this user's location also seems to be in Mumbai? Of course, this is hard to say for sure, as Mumbai is a major city.

There's also another repository, ninadnaik10/ninadnaik10, who also seems to be Indian. Their X profile indicates their city is also in Mumbai?

Then there's the Linux kernel repository, and after that, there are no more duplicates. It seems this is the starting point?

[rclement]

I can confirm there might also be a link with "Awesome FastAPI" where my open-source project Mailer is listed somehow and yesterday also received a spike of more than a hundred suspicious stars. Been following these investigation thread closely.

Still don't understand the goal with adding stars to random repositories, this is not a vector of propagation of Shai Hulud 2.0 (especially given it propagates throught the NPM ecosystem, not Rust Crates not Python PyPI).

[pilgrimlyieu]

Hello everyone following this discussion. Before the victims started unstarring the repositories, I conducted an analysis and statistical breakdown of the attack data relevant to my own project. The code has been open-sourced in pilgrimlyieu/Sha1-Hulud-2-GitHub-Stars-Analysis.

According to my research, 86.22% of the projects listed on the Awesome Tauri list were "attacked," and 94.78% of the projects on the Awesome FastAPI list were "attacked". Furthermore, the vast majority of the affected projects were inflated with at least 100 stars.

More detailed data and the full investigative report can be found in the aforementioned repository. All victims' GitHub usernames have been encrypted to protect their privacy.

[Brendonovich]

and here i was thinking i got a bunch of stars for doing nothing 😄 thanks for the detailed investigation!