Starjacking
What is Starjacking?
StarjackingA supply-chain trick where a malicious package falsely links to a popular GitHub repository so it appears to inherit that project's stars, forks, and credibility.
Starjacking abuses the fact that npm, PyPI, and similar registries display popularity metrics (GitHub stars, contributors, README) using URLs supplied by the package author without verifying ownership. An attacker publishes a malicious or typosquatted package and points its repository field to a famous, unrelated project. Tooling and developers that judge trust by stars or download badges see what looks like a heavily used project and install the malicious code. Starjacking is often combined with typosquatting or dependency confusion. Defences include verifying the actual repository URL, looking at maintainer history and publish dates, and using tools such as Socket, OpenSSF Scorecard, or registry signature checks.
● Examples
- 01
A malicious npm package sets its "repository" field to facebook/react so the registry page shows React's star count.
- 02
A typosquatted package on PyPI links its homepage to a well-known data-science library to appear legitimate.
● Frequently asked questions
What is Starjacking?
A supply-chain trick where a malicious package falsely links to a popular GitHub repository so it appears to inherit that project's stars, forks, and credibility. It belongs to the Attacks & Threats category of cybersecurity.
What does Starjacking mean?
A supply-chain trick where a malicious package falsely links to a popular GitHub repository so it appears to inherit that project's stars, forks, and credibility.
How does Starjacking work?
Starjacking abuses the fact that npm, PyPI, and similar registries display popularity metrics (GitHub stars, contributors, README) using URLs supplied by the package author without verifying ownership. An attacker publishes a malicious or typosquatted package and points its repository field to a famous, unrelated project. Tooling and developers that judge trust by stars or download badges see what looks like a heavily used project and install the malicious code. Starjacking is often combined with typosquatting or dependency confusion. Defences include verifying the actual repository URL, looking at maintainer history and publish dates, and using tools such as Socket, OpenSSF Scorecard, or registry signature checks.
How do you defend against Starjacking?
Defences for Starjacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Starjacking?
Common alternative names include: Star-jacking, Stat-jacking.
● Related terms
- attacks№ 1183
Typosquatted Package
A malicious open-source package published under a name that closely resembles a popular library so that developers install it by mistake.
- attacks№ 647
Malicious npm Package
An npm package that contains hidden code designed to steal data, install malware, or compromise downstream applications when installed.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.
- appsec№ 304
Dependency Confusion Attack
A supply-chain attack in which an adversary publishes a malicious package on a public registry with the same name as an organization's internal dependency, tricking build tools into pulling the public version.