"6 Million Fake Stars" — The Shocking ICSE 2026 Paper

One of the most talked-about presentations at the Research Track of ICSE (The International Conference on Software Engineering), held in Brazil in April 2026, was the paper titled "Six Million (Suspected) Fake Stars on GitHub: A Growing Spiral of Popularity Contests, Spams, and Malware," with Hao He, a Ph.D. student at CMU, as lead author. Co-authors include CMU's Associate Professor Bogdan Vasilescu and Associate Professor Christian Kästner, Alexandros Kapravelos from North Carolina State University, and Philipp Burckhardt, a data scientist at Socket.

The research team analyzed 20 terabytes of GitHub metadata from GHArchive, covering a total of 6.7 billion events and 326 million stars, and developed a proprietary detection tool called StarScout. StarScout performs anomaly detection by combining two signals: "extremely low-activity accounts that star only a single repository" and "clusters of 50 or more accounts that star the same group of repositories in a synchronized manner within a short period (Lockstep Pattern)." As a result, approximately 6 million stars spanning 18,617 repositories were strongly suspected of being fake, with the number of participating accounts reaching approximately 301,000.

Corroborating the paper's credibility, 90.42% of repositories flagged as fraudulent by StarScout had already been removed by GitHub as of January 2025, and 57.07% of associated accounts had been suspended. Given that the typical repository removal rate is approximately 5.03% and the account removal rate approximately 3.54%, this represents an exceptionally high rate of agreement. Associate Professor Vasilescu stated in an official CMU announcement, "The link between scams and fake stars had been pointed out before, but what surprised us was the *scale*," adding that "GitHub's entire ecosystem functions as an 'attention economy' similar to social media."

Particularly noteworthy is that fake star campaigns, which were nearly nonexistent until early 2022, had ballooned to 100 times that scale by July 2024. In that single month alone, an estimated 16.66% of repositories with 50 or more stars were likely involved in fake star campaigns.

"GitHub Stars" Openly for Sale — The Full Picture of a Real Market

When people hear "fake stars," many might imagine a black market operating quietly in the shadows. The reality is quite the opposite: multiple vendors openly sell GitHub stars as a "product," complete with legitimate e-commerce storefronts, 24/7 customer support, and EU-compliant invoice generation. Below is a list of the most prominent sellers whose names frequently come up among Silicon Valley founders and VCs. The fake star problem is not rumor — it has already become an established economic activity.

Baddhi Shop (based in Bangalore, India)

Baddhi Shop, a social media growth specialist, sells GitHub stars as a standard menu item alongside Instagram followers, YouTube views, and TikTok likes. Prices are extremely low at $64 USD (~¥9,600) per 1,000 stars, making it one of the most frequently cited vendors among OSS founders and growth consultants. In a real-world experiment conducted by Fraser Marlow of Dagster, who set up a dummy repository (frasermarlow/tap-bls), approximately 75% of stars purchased through Baddhi Shop were removed by GitHub within one month — yet they reportedly delivered enough short-term burst to trigger the Trending algorithm.

GitHub24 (based in Munich, Germany)

GitHub24 is a European vendor operated by Moller und Ringauf GbR, a legally registered company in Munich. Prices are approximately €0.85 per star (~¥138) — roughly 13 times the cost of Baddhi Shop — but in Dagster's experiment, nearly all purchased stars persisted for several months, establishing the service's reputation as a provider of "high-quality, permanent stars." With transparent corporate registration, bank account details, and EU-compliant invoice issuance, the veneer of legality — including the ability to purchase stars as an expensable "marketing cost" — significantly lowers the psychological barrier for startup finance teams.

US-Based Vendors Well-Known in Silicon Valley Circles

In Yehuda Gelb's "The GitHub Black Market" (Checkmarx), the US-based vendors listed include SocialPlug.io (multi-currency payments and 24/7 support, registered in Nevada), Buy.fans (cross-selling across Twitter/Instagram/GitHub), GitHubPromoter.com (a veteran GitHub-only service), Boost-Like.store (orders from as few as 5 stars), Followdeh.com, Vurike.com, and more than a dozen others. What these vendors have in common is product lineups that explicitly invoke Silicon Valley context, with names like "Silicon Valley Developer Credibility Package" and "Seed-Stage Founder Boost." Their sales pages openly name specific scenarios as target use cases — "before your YC (Y Combinator) Demo Day," "before your Series A raise" — deploying sales pitches blatantly tailored to VC sourcing pipelines.

Distribution Channels on Fiverr and Telegram

On Fiverr, the US freelance marketplace, searching keywords like "GitHub Star Boost," "GitHub Fork Service," or "GitHub Trending Service" returns hundreds of gigs (one-off services) starting at $5 USD. On Telegram, dedicated channels in English, Russian, and Chinese are continuously active, with sales groups accepting cryptocurrency, rubles, and yuan. Ongoing investigative reporting by The Hacker News and BleepingComputer has revealed a global market that operates with distinct regional segmentation.

The Top Tier: The "Aged Account" Market at ~$5,000 per Account

The most expensive product is a "pre-built GitHub persona" trading at around $5,000 USD (~¥750,000) per account. These are accounts created more than two years ago, with ongoing commit histories, followers, and fork activity — "cultivated" to a level indistinguishable from a seasoned human developer. According to DEV Community reporting, such accounts are repurposed for any number of uses: fabricating an OSS entrepreneur's professional history, falsifying profiles in job applications, lending credibility to malware repositories, and even manufacturing "core maintainer" lists to display on VC pitch slides. The very fact that a ¥750,000-per-account price point constitutes a stable market segment is the clearest evidence that the fake ecosystem has genuine economic rationale and persistent demand.

In this way, "fake stars" are no longer an exceptional product traded in the shadows by a handful of hackers — they have become legitimate services sold via public product pages with credit card checkout by professional vendors. What is particularly striking for Silicon Valley VCs and OSS founders is the reality that competitors or prospective portfolio companies can purchase these services from the same public web they use every day, with nothing more than a single credit card transaction. The chapters that follow will examine the investment fraud and malware incidents that have materialized as a result of using these vendors, as well as the specific defensive measures that Tier 1 VCs have begun to adopt.

Silicon Valley VCs' Wariness of the "Reputation Bubble"

Tier 1 VCs have begun viewing this issue not merely as technical fraud, but as "a risk that undermines the very foundation of due diligence." Jordan Segall, a partner at Redpoint Ventures, previously published a data-driven fundraising guide titled "So How Many Stars Is Enough?" which presented concrete figures — a median of 2,850 stars at seed funding and 4,980 stars at Series A — derived from an analysis of more than 80 developer tools companies. The piece has since been widely cited as an industry benchmark. In that same article, Segall candidly noted that "many VCs write their own scraping programs to discover fast-growing GitHub projects, and stars are the most referenced metric in that process," corroborating the reality that star counts are directly tied to VC sourcing pipelines.

Yet the widespread knowledge of this "2,850 stars equals seed-stage" rule of thumb has created a perverse incentive in the opposite direction. Services with an air of legitimacy — such as GitHub24 (operated by Munich-based German registered entity Moller und Ringauf GbR) — trade stars at €0.85 each (approximately ¥138), meaning the budget required to fabricate 2,850 stars is roughly €2,422 (approximately ¥395,000), and even the Series A median of 4,980 stars costs only €4,233 (approximately ¥689,000). Given that the median seed raise during the same period ranged from $1 million to $10 million (approximately ¥150 million to ¥1.5 billion), the ROI works out to an extraordinary ratio of 3,500x to as high as 117,000x. Silicon Valley SaaS media outlet SaaStr and investor-focused newsletters from The Information have both highlighted this "asymmetric return on investment," sounding the alarm that "GitHub stars are no longer a standalone decision-making metric."

A feature published in Awesome Agents in April 2026 titled "Inside GitHub's Fake Star Economy" reported that multiple venture partners in Silicon Valley — speaking on condition of anonymity — said that "at least several investment decisions over the past two years would have been reconsidered had we verified the star history after the fact," suggesting that even Tier 1 VCs are losing the capacity for self-correction.

"Investment Fraud" Cases Deceiving VCs (Venture Capitalists)

Investment fraud using fake GitHub stars has already materialized at the level of concrete legal precedent. Manish Lachwani, the CEO of test automation startup HeadSpin, was indicted on wire fraud and securities fraud charges for inflating revenue to approximately four times actual performance and presenting Apple and American Express as fictitious customers to investors. For deceiving investors out of approximately $80 million in funding, he was sentenced in April 2024 to 18 months in prison and fined $1 million. Legal experts have positioned this ruling as a significant precedent that "explicitly demonstrates that inflation of soft metrics can be subject to criminal penalties," and the view is spreading that "if investors deployed capital based on star counts, purchasing fake stars could fall within the wire fraud framework."

Additionally, in the ROSS Index (Runa Open Source Startups Index) published by venture capital firm Runa Capital, Union Labs (a blockchain-related startup) recorded a quarterly star growth rate of 54.2x and a total of 74,300 stars in the Q2 2025 rankings, claiming the top position. However, when StarScout later analyzed the data, it was found that 47.4% of Union Labs' stars were flagged as suspected fake stars, with 32.7% of the star accounts being accounts that "owned zero repositories" and 52% being accounts with "zero followers." The Fork-to-Star ratio of 0.052 showed an anomalous value well below the healthy project average of 0.16, suggesting that the very rankings driving investment cycles may themselves have been corrupted. The ROSS Index is referenced by VCs worldwide as a "tool for discovering emerging OSS startups," and the implications of its credibility being undermined are incalculable.

The U.S. Federal Trade Commission (FTC) finalized the "Consumer Review Rule" in October 2024, explicitly prohibiting the act of fabricating social media influence for commercial purposes. Violations carry civil penalties of up to $53,088 per violation, meaning that using fake stars in the course of equity fundraising creates a risk of enforcement action from the FTC in addition to the SEC.

Concealment of a Polished "Bot Farm"

Bot farms prior to 2024 were predominantly "obviously suspicious" — accounts that had just been created would collectively star repositories while leaving their profiles completely blank. However, bot farms from 2025 onward have become increasingly difficult to distinguish from real humans by leveraging accounts that have undergone extended "aging" periods.

According to an analysis published by StartupHub.ai in April 2026, the current generation of fake engagement has evolved to the point of "automatically generating multi-paragraph technical reviews, filing issues complete with reproduction steps, and submitting pull requests containing meaningful code changes." Beyond that, AI-generated profile pictures, months of continuous fake commit histories, forked repositories, bio text, and followers are all orchestrated to create a comprehensive "social context." These "aged accounts" trade at a market price of $0.80–$0.90 per star — more than ten times the cost of disposable accounts.

Fraser Marlow, former CEO of Dagster, candidly admitted in his company's engineering blog that "in the period before fundraising, I spent a considerable amount of time on 'GitHub stars.'" He then set up a dummy repository (frasermarlow/tap-bls) to investigate, and actually purchased stars from multiple vendors — including Baddhi Shop (1,000 stars for $64) and GitHub24 — to study their behavior. In Baddhi Shop's case, 75% of the stars were removed within a month, while nearly all of GitHub24's stars remained, revealing a "quality difference commensurate with price."

Algorithm Hacks for the "GitHub Trending" Tab

The "Trending" section displayed on GitHub's Explore tab is an important gateway through which new users discover projects. Of the repositories detected running fake star campaigns, 78 have appeared on GitHub Trending, demonstrating that the algorithm is being reliably gamed. For example, if a repository surges from 10 stars to 500 stars in a single week, the Trending algorithm amplifies it as "rapidly rising," exposing it to real developers on the front page, where genuine stars then accumulate in a chain reaction — a so-called bootstrap effect.

Security media outlet BleepingComputer described this mechanism as "an extremely effective distribution channel for malware repositories, as it allows them to quickly attain top rankings trusted by both investors and developers alike." Furthermore, as Checkmarx's Yehuda Gelb revealed in "The GitHub Black Market: Gaming the Star Ranking Game," at least a dozen operators — including SocialPlug.io, Buy.fans, Boost-Like.store, GitHubPromoter.com, Followdeh.com, and Vurike.com — openly offer star-selling services, with transactions routinely taking place on Fiverr and multiple Telegram channels as well.

"Negative Bot" Attack on Rival Companies

While GitHub does not have a "negative rating" button like social media platforms, bot attacks designed to achieve equivalent effects have become a real threat. Specific tactics include flooding a rival company's repository with mass "Report spam/abuse" submissions to trigger automatic suspension by GitHub's Trust & Safety team, or deliberately sending large volumes of meaningless Issues and low-quality PRs to consume maintainers' time.

The "hackerbot-claw" incident reported by StepSecurity in March 2026 illustrates this new phase. Between February 21 and March 2, 2026, an AI-driven bot claiming to be an "autonomous security research agent" (and asserting it used Claude-Opus-4.5 internally) repeatedly executed remote code against CI/CD pipelines of at least seven major open-source projects — including Microsoft, DataDog, and CNCF — automatically rotating through five different attack techniques. In one prominent repository, the bot successfully exfiltrated a GitHub token with write permissions, leading security researchers to regard this not as mere mischief but as a forerunner of "autonomous AI attacks aimed at eliminating competitors or achieving financial gain."

Further, in April 2026, a campaign dubbed "prt-scan" was identified in which attackers sent 475 malicious PRs to prominent organizations and individual developers within a 26-hour window. This is a classic distraction attack: while target maintainers are overwhelmed with reviews, their attention is diverted to allow separate attack vectors to proceed. In response, GitHub's Head of Trust & Safety announced a pilot rollout of PR rate limits and AI-gated review screening during Q2 2026.

Supply Chain Attack (Malware Spreading) Case Study

The greatest danger of fake stars is the spread of malware through repositories that fake credibility. CMU research found that many repositories with fake stars were short-lived phishing-type malware repositories disguised as "pirate software," "game cheats," or "crypto bots." Socket's analysis also revealed that 28 repositories flagged as malware by VirusTotal were still live on GitHub at the time of disclosure. As a prominent example, Solmonster/PhantomSniper-Solana-Sniper-Bot, named explicitly by Socket researchers, was designed to masquerade as a "sniper bot" for Solana while using hidden spawn() calls to launch obfuscated remote scripts that drained funds from users' cryptocurrency wallets. At the time of discovery, it had accumulated 109 fake stars, and numerous victims had posted warnings in the Issues thread.

An even larger incident was the tj-actions/changed-files supply chain compromise (CVE-2025-30066), which occurred in March 2025. This GitHub Action was used by more than 23,000 repositories. Attackers stole the PAT of @tj-actions-bot, rewrote all version tags to malicious commits, and exfiltrated sensitive credentials—including AWS access keys, GitHub PATs, npm tokens, and RSA private keys—into workflow logs via CI runner memory dumps. Major security vendors including CISA (the U.S. Cybersecurity and Infrastructure Security Agency), Wiz, Unit 42, Semgrep, and Cycode issued warnings in succession, and the impact cascaded to reviewdog/action-setup@v1 (CVE-2025-30154), which was similarly tampered with around the same time.

Then in November 2025, the "Shai-Hulud 2.0" campaign targeted the npm ecosystem. Unit 42, Microsoft Security, Wiz, CheckPoint, Arctic Wolf, and Zscaler each published detailed reports in rapid succession; the scope of damage reached more than 25,000 GitHub repositories and hundreds of npm packages, including those of Zapier, ENS Domains, AsyncAPI, PostHog, Browserbase, and Postman. During the preinstall phase, attackers executed setup_bun.js and bun_environment.js to steal victims' npm tokens, GitHub tokens, SSH keys, cloud credentials, and CI/CD secrets—then created a public repository named "Shai-Hulud" under the compromised account and committed the stolen data to it, exhibiting self-replicating behavior.

In sophisticated attacks like these, fake stars serve as the first point of entry. By poisoning the discovery pipeline for tools, they dramatically amplify the probability of harm. In the PyStoreRAT campaign reported by The Hacker News in December 2025, repositories disguised as OSINT tools and GPT utilities used fake stars to feign credibility, reaching real developers via Discord and tech blogs—and racking up tens of thousands of downloads as a result.

Disguise for "Recruitment and Branding" Purposes

The abuse of fake stars has spread beyond corporate valuation to individual hiring processes. Because corporate recruiters and managers reference GitHub profiles as a "proxy metric for developer ability," job seekers have a strong incentive to fabricate their profiles. According to a DEV Community report, "ready-made GitHub personas" — complete with mature histories, numerous followers, and starred repositories — are being traded for approximately $5,000 per account.

Conversely, cases of attackers impersonating recruiters are also on the rise. In an incident reported by ReversingLabs, fake recruiters operating via LinkedIn and GitHub sent messages saying "Please run our coding test in your home terminal," deploying malware the moment a malicious Python package included in the project was executed. This VMConnect campaign has been linked to the North Korean threat actor Lazarus Group. A 2024 investigation published on Medium by community researcher Heiner identified at least 250 fake recruiter accounts that "share photos of women and similar bios."

Additionally, Palo Alto Networks Unit 42 has reported cases where attackers set up trap repositories on GitHub disguised as "patches," luring security researchers who were investigating their own organization's vulnerabilities and infecting them with malware instead. A high star count serves as a prop to lend these traps an air of legitimacy.

On the other hand, there are also risks in overly idealizing hiring candidates. StartupHub.ai has pointed out a negative feedback loop: "the more a company's CTO values a candidate's GitHub star count during interviews, the more that candidate will want to buy stars." The argument is that a culture in which star counts become a primary factor in candidate evaluation is itself fueling the growth of the fake profile economy.

Measures being taken by smart executives and engineers as of 2026

In a world where the reliability of star counts has collapsed, Tier 1 VCs and CTOs have begun adopting combinations of alternative metrics that don't rely on stars. This is less about searching for a single "magic metric" and more about an approach of cross-validating multiple independent perspectives.

Examining the Shape of Star History Graphs

The first check is to visualize the distribution of when stars were granted. Natural growth traces a gradual curve overall, punctuated by small spikes triggered by news, conference appearances, or major releases. Fake stars, by contrast, form a vertical cliff (spike) within a 24-to-48-hour window that shows no correlation whatsoever with increases in Issues, PRs, or Discussions. This difference is strikingly clear even to the human eye, and by spring 2026 the culture of verifying this through visualizers like star-history.com has become a de facto standard. In an April 2026 Medium piece titled "Your GitHub Stars Might Be Fake," Joe Junior Frecce wrote: "Investors are watching your star growth curve. Gradual growth with broad geographic distribution has become far more trusted than a spike concentrated over a single week."

Prioritizing Real Usage Metrics (NPM/PyPI Download Counts)

Star counts represent nothing more than "the number of people who became aware of the repository," whereas NPM and PyPI download counts reflect "the number of times the package was actually installed and used," making them a metric closer to actual usage. That said, as developer Andy Richardson's public experiment demonstrated — in which he drove downloads of his own package to nearly one million per week using only AWS Lambda's free tier — download counts alone cannot be taken at face value. The 2026 best practice is therefore to examine download counts alongside their "geographic distribution," "time-of-day distribution," and "version migration patterns." Visualization dashboards provided by Socket, Snyk, libraries.io, and npmtrends.com make these composite checks straightforward.

The "Quality" of Forks

Forking is a stickier action than starring, but numbers alone can still be gamed. What truly matters is the ratio of "active forks" — forks where the account has made original commits to the code and is using it in their own projects. In healthy OSS projects, fork counts are said to fall between 15–25% of star counts. The extremely low ratio of 0.052 for Union Labs cited in a CMU paper, and FreeDomain's 0.017 — with 81.3% of stars coming from "zero-follower accounts" — represented a level of manipulation readable even by the naked eye.

Dependent Repository Count (Used By)

When GitHub's dependency graph is enabled, the package is published to a supported ecosystem (npm, PyPI, Go modules, etc.), and 100 or more repositories depend on it, a "Used by" section appears in the right sidebar of the repository page. Because this indicates "upstream status" in the supply chain, it is an extremely difficult metric to fake. Among Tier 1 VCs and CTOs at major tech companies, a culture is taking hold of reviewing the "Used by" avatar list during acquisition due diligence or software adoption evaluations — scrutinizing not just the count but the quality of the dependent accounts (anonymous accounts vs. well-known organizations).

Bessemer's Framework for Prioritizing "Unique Monthly Contributors"

Bessemer Venture Partners defines its "north star metric" for open-source investment as Unique Monthly Contributor Activity. According to the firm's Atlas materials, a contributor is broadly defined as "a user who, within a given month, created an Issue, commented on an Issue, submitted a PR, or made a commit." Reaching a stable 100 per month is considered promising; consistently exceeding 250 per month is rated top-tier. The breadth of this definition exploits the property that the cost of sustaining Issue, PR, and commit activity continuously over an extended period — even with sophisticated bots — becomes prohibitively high.

Integrating Automated Fake-Star Detection Tools

Independent engineering teams have also released detection tooling. dagster-io/fake-star-detector, published by Dagster, is a pipeline combining Dagster, dbt, and BigQuery; validation by Fraser Marlow's team achieved 98% precision and 85% recall. Ullaakut/astronomer is a CLI tool that estimates "the probability that a user who starred is a real human" from the account's past behavior. m-ahmed-elbeskeri/Starguard is an OSS auditing tool that has been adopted by both security teams and VCs for reviewing not only fake stars but also signs of dependency hijacking and license red flags in a single pass. mercurialsolo/realstars is a Chrome extension and Claude Code plugin applying CMU's StarScout research, enabling direct in-browser repository evaluation. The movement to integrate these tools into CI/CD and Software Composition Analysis (SCA) pipelines is spreading rapidly, and this trend is accelerating beyond 2026.

Institutional Responses from the VC Industry

Sequoia Capital and Andreessen Horowitz (a16z) have avoided direct public commentary on this situation in their official blogs, but are reported to have added items such as "machine learning analysis of star history," "manual review of contributor distribution," and "cross-checking NPM/PyPI against GitHub" to their internal due diligence checklists (per posts on StartupHub.ai and anonymous Hacker News threads). Following the XZ Utils backdoor incident in and after 2024 — in which an attacker operating under the name Jia Tan spent over two years gradually acquiring co-maintainer privileges — the Linux Foundation published guidelines for "maintainer risk assessment that assumes social engineering," and this has also fueled a trend of VCs evaluating OSS projects not merely on "volume of activity" but on "the health of their human relationships."

Media Reactions and Future Outlook

Major tech outlets — including UK-based *Computing*, US-based *Slashdot*, *Bleeping Computer*, *The Hacker News*, *TechTarget*, *DevOps.com*, and *How-To Geek* — have, since the publication of the CMU/Socket paper, begun treating the fake-star problem not as "merely an internal GitHub matter" but as a challenge to "the supply-chain trustworthiness of open source as a whole." Japan's *GIGAZINE* also published an explainer on April 21, 2026, titled "The Terrifying Reality of GitHub's Fake-Star Economy," offering a detailed look at the distortions in the star economy and the precariousness of investment decisions based on it.

Multiple Silicon Valley VCs say in unison: "We haven't stopped looking at stars, but we only use them as a starting point." The center of gravity in genuine due diligence has shifted toward reading the totality of multilayered human activity — commit history, issue quality, dependency graphs, contributor distribution, and the "temperature" of community conversations. GitHub has reportedly been considering piloting "Weighted Stars" and automated shadow-banning of fraudulent accounts since the second half of 2025, but until the platform's countermeasures catch up, both investors and developers will continue to face a situation that demands sharp discernment.

As Associate Professor Vasilescu noted, "No software today is written from scratch — you reuse as much existing work as possible." It is precisely for this reason that the fake-star economy, which poisons the trust infrastructure of the OSS community, is being understood not merely as a form of fraud, but as a problem that corrodes the very foundation of the software industry.

Media Reactions and Future Outlook

Major tech outlets including Britain's *Computing*, *Slashdot*, *Bleeping Computer*, *The Hacker News*, *TechTarget*, *DevOps.com*, and *How-To Geek* have, since the publication of the CMU/Socket paper, begun treating the fake-star problem not as "merely a GitHub internal affair" but as a challenge to "OSS-wide supply chain trustworthiness." Japan's *GIGAZINE* also published an explainer on April 21, 2026, titled "The Terrifying Reality of GitHub's Fake-Star Economy," detailing the distortions of the star economy and the dangers it poses to investment decisions.

Multiple Silicon Valley VCs echo the same sentiment: "We haven't stopped looking at stars, but we only use them as a starting point." True due diligence has shifted its center of gravity toward reading the aggregate of multilayered human activity — commit history, issue quality, dependency graphs, contributor distribution, and the "temperature" of community conversations. GitHub has reportedly been considering piloting "Weighted Stars" and automated shadow-banning of fraudulent accounts since the latter half of 2025, but until platform-level responses catch up, both investors and developers will continue to face a situation that demands sharp discernment.

As Associate Professor Vasilescu pointed out, "no software today is written from scratch — we reuse existing components as much as possible." It is precisely for this reason that the fake-star economy, which contaminates the trust foundation of the OSS community, is being recognized not merely as fraud, but as a problem that corrodes the very bedrock of the software industry.

Sources