Star-Jacking Detection

What Is Star-Jacking?

Star-jacking is a social engineering technique where a malicious package's metadata (homepage URL, repository URL) points to a popular, unrelated GitHub repository. When a developer checks the package on PyPI or npm, they see thousands of stars and active development — all of which belong to someone else's project.

This creates a false sense of legitimacy. The developer assumes the package is well-maintained and widely used, when in reality it's a malicious imposter borrowing credibility from an established project.

How Hextrap Detects It

During Phase 2 content analysis, Hextrap examines the repository URL listed in a package's metadata and applies several checks:

• Name similarity check: If the package name has less than 50% similarity to the repository name, it's flagged. A package called fast-utils linking to facebook/react is suspicious.
• Star threshold: The repository must have 5,000+ stars for the signal to trigger. Star-jacking only works against popular repositories that confer meaningful credibility.
• Owner mismatch: The package author and repository owner are cross-referenced where author information is available.

Why This Signal Matters

Star-jacking is often combined with other attack techniques. A typosquat package that also star-jacks a popular repository is significantly more convincing than one with no repository link. Attackers use this layered approach to bypass human review:

• The name looks right (typosquat)
• The repository looks legitimate (star-jacking)
• The version number is high (version anomaly)
• The install script runs a payload (install hook)

By detecting star-jacking as an independent signal, Hextrap adds another layer to its multi-signal analysis, catching packages that might pass individual checks but exhibit a pattern of deception.

Package: fast-utils
Repository: github.com/facebook/react
  Stars: 220,000+
  Name match: 12%

Signal: STAR_JACKING (MEDIUM)
The package name does not match
the claimed repository.