Eight accounts, six years of creation dates, following counts within a range of 25. Here's how following-list overlap analysis exposed a coordinated inauthentic network that cross-follow detection completely missed. Tagged with security, github, python, opensource.

Dev.to is a community platform for developers, offering resources, discussions, and networking opportunities to empower individuals in their coding journey. Developers can learn new programming languages, frameworks, and tools, engage in discussions on best practices, and share their experiences with fellow developers to enhance their skills and grow their professional network.

A developer auditing their GitHub followers discovered 8 accounts created across 6 years with following counts within a range of 25. Classic cross-follow botnet detection returned all zeros, but computing pairwise Jaccard similarity on their full following lists (~29,800 entries each) revealed scores above 0.99 across all pairs, with 29,682 accounts followed by all 8 simultaneously. The post explains why following-list overlap is a more robust detection signal than cross-following, provides the Python script used, and discusses plausible use cases including social proof laundering for malicious repositories.

Found a Coordinated GitHub Follow Botnet Hiding in My Followers?

The Important Signal Wasn't Cross-Following

Alternative Explanations and False Positives