I post it in here, since it is more an GitHub issue, original post under Linux but I decided to delete it after some people made me aware of a link at the bottom which I overlooked.

Apparently you can inject fake commit hashes into someones else repo to make it look like it is from the original author.

GitHub seems to not fix it, because it is a feature which sucks.

To avoid this you can

• Check commit ID
• Check history of commits from the particular repo manually.