Not my commit (Bug?)


I recently received a notification for modifications on a repo of another user to which I had supposedly participated, and for which I made 12 commits. The problem is I have never made any of these commits (and have never heard of the user or repo before).

I have changed my account password by security (I do not have any ssh keys authorised), but this doesn’t seem like a hacked account behavior (the commits look like an educational blog project). In addition, although, “my” commits do show up on the repos page, they do not show on my profile activity overview (no commits over the period where they supposedly were made: October 5 → October 13th).

Does someone have an idea why this would have happened and how to avoid it ?

The repo which I have never commited to but am listed as contributor:

My account:

Thank you for your help,

Anyone can make a commit impersonating anyone simply by changing the git username and git email to match the GitHub user.

You could gpg sign your commits and turn on vigilant mode which would flag unsigned commits as unverified, but this would not prevent the person from still making commits under that name.

1 Like

Hello and welcome to the community, @Leobouloc! Thank you @katsute for quickly jumping in and helping :smiley:


Thank you for answering my question.Does this mean an account could theoretically be spammed with commit notifications from various accounts who decide to use someone else’s identity to sign commits ?

You can suppress those notifications by changing the watch status for that repository to ignored.