What category does Starjacking belong to?

Starjacking belongs to the "Software Development" category in personal knowledge management and productivity.

What are the key topics related to Starjacking?

Key topics related to Starjacking include: security, cybersecurity, supply-chain-attacks, software-development, deception.

What are alternative names for Starjacking?

Starjacking is also known as: Star Jacking.

Starjacking

A supply chain attack where a malicious package links to a popular GitHub repository to inherit its star count and perceived legitimacy

Also known as: Star Jacking

Category: Software Development

Tags: security, cybersecurity, supply-chain-attacks, software-development, deception

Explanation

Starjacking is a supply chain attack where an attacker publishes a malicious package on a public registry and links it to a popular, unrelated GitHub repository to inherit its star count, contributor list, and perceived legitimacy. Package registries display the linked repository's metadata alongside the package, making it appear trusted when it is not.

The attack is deceptively simple: the attacker creates a malicious package on npm, PyPI, or another registry, sets the package's repository field to point to a popular, legitimate GitHub project, and the registry displays that project's star count, contributors, and activity. Developers evaluating the package see thousands of stars and assume it is trustworthy, then install it and execute the malicious payload.

Starjacking works because most registries don't verify that the linked repository actually contains the package's source code. Developers use GitHub stars as a heuristic for trustworthiness, automated security tools may whitelist packages based on repository popularity metrics, and the attack requires zero interaction with the legitimate project's maintainers.

Starjacking is particularly dangerous when combined with other attack techniques. A typosquatted package name plus fake stars makes the deception highly convincing. An AI-hallucinated package (slopsquatting) that appears to have a reputable repository is even harder to detect. Any name-based attack benefits from the inflated trust signals that starjacking provides.

Mitigation includes never trusting stars alone, verifying the repository actually contains the package source code, checking publisher identity rather than just the linked repo, using provenance attestations like npm provenance or Sigstore signatures, checking package age and history (newly published packages claiming old popular repos are suspicious), and using SCA tools that cross-reference package metadata with actual repository content.

Related Concepts

← Back to all concepts