ghbuster is a tool to detect suspicious GitHub repositories and users using heuristics. It is designed to help identify potentially malicious or inauthentic accounts and repositories on GitHub.
Install uv if needed:
brew install astral-sh/uv/uv
# or see https://docs.astral.sh/uv/getting-started/installation/ for other platformsYou can then install ghbuster:
uv pip install "git+https://github.com/DataDog/ghbuster.git"Then run it using:
export GITHUB_TOKEN=<your_github_token>
ghbuster| ID | Name | Description |
|---|---|---|
| repo.commits_suspicious_unlinked_emails | Repository commits only from suspicious unlinked emails | Detects when a repository has commits with unlinked emails that also don't match the owner's username or full name. |
| repo.stargazers_joined_same_day | Repository has stargazers who joined the same day | Detects when a repository has a large proportion of its stargazers who joined GitHub on the same day, which may indicate a coordinated effort to boost the repository's popularity. |
| repo.starred_by_suspicious_users | Repository starred by suspicious users | Detects when a repository has over 80 % of stars from suspicious users matching heuristics they may be inauthentic. |
| ID | Name | Description |
|---|---|---|
| user.commits_unlinked_emails | User has only commits from unlinked emails | Detects when all of a user's commits are from emails not linked to their GitHub profiles. This may indicate a threat actor leveraging distinct inauthentic accounts. |
| user.forks_from_taken_down_repos | User has forks of taken-down repositories | Detects when a user has forks from repositories that have been taken down. This may indicate that the user is being leveraged as part of a campaign to make inauthentic repositories appear legitimate. |
| user.just_joined | User recently joined GitHub | The GitHub user joined the platform less than 7 days ago. |
| user.low_community_activity | User with low community activity | Detects when a user has very low community activity. This may indicate that the user is inauthentic. |
| user.missing_common_fields | User has none of the common profile fields set | Detects when a GitHub is missing a number of highly-common fields (name, company, bio, location) in their profile. |
| user.repos_only_forks | User has only forks | Detects all of a user's repositories are forks. This may be an indication that the user is used solely to make other repositories appear legitimate. |
- https://media.defcon.org/DEF%20CON%2033/DEF%20CON%2033%20presentations/Christophe%20Tafani-Dereeper%20Matt%20Muir%20-%20Weaponizing%20Trust%20Investigating%20a%20Threat%20Actor%20Targeting%20Security%20Researchers%20and%20Academics.pdf
- https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/
To run the local ghbuster version, use:
uv venv
export GITHUB_TOKEN=<your_github_token>
uv run python -m ghbusterTo run the tests, use:
uv run python -m unittest discover tests/heuristicsTo generate the documentation, use:
uv run python -m scripts.generate_heuristics_docs README.md