Starjacking - DeveloPassion

# Starjacking Starjacking is a supply chain attack where an attacker publishes a malicious package on a public registry and links it to a popular, unrelated GitHub repository to inherit its star count, contributor list, and perceived legitimacy. Package registries display the linked repository's metadata alongside the package, making it appear trusted. ## How it works 1. Attacker creates a malicious package on npm, PyPI, or another registry 2. Sets the package's `repository` field to point to a popular, legitimate GitHub project 3. The registry displays that project's star count, contributors, and activity 4. Developers evaluating the package see thousands of stars and assume it's trustworthy 5. Installation executes the malicious payload ## Why it works - Most registries don't verify that the linked repository actually contains the package's source code - Developers use GitHub stars as a heuristic for trustworthiness - Automated security tools may whitelist packages based on repository popularity metrics - The attack requires zero interaction with the legitimate project's maintainers ## Combination with other attacks Starjacking is often combined with: - **[[Typosquatting]]**: a typosquatted package name plus fake stars makes the deception convincing - **[[Slopsquatting]]**: an AI-hallucinated package that appears to have a reputable repository - **[[Namesquatting]]**: any name-based attack benefits from inflated trust signals ## Mitigation 1. **Don't trust stars alone**: verify the repository actually contains the package source code 2. **Check publisher identity**: look at who published the package, not just the linked repo 3. **Verify provenance**: use npm provenance attestations or Sigstore signatures where available 4. **Check package age and history**: newly published packages claiming old, popular repos are suspicious 5. **[[Software Composition Analysis (SCA)]]**: tools that cross-reference package metadata with actual repository content ## References - Checkmarx: research on starjacking in npm ecosystem ## Related - [[Namesquatting]] - [[Typosquatting]] - [[Slopsquatting]] - [[Dependency Confusion]] - [[Software Supply Chain Security]] - [[Package Registry Security]] - [[Software Composition Analysis (SCA)]] - [[Attack vectors]]