It is easy to pretend to be another user in git, you simply need to have their displayed user name and email address. There are much better articles out there regarding git user spoofing such as this and this so I shall spare you the details.
Instead, let's talk about how we can prevent this using a simple tool called GnuPG. It can be easily installed using Homebrew using brew install gnupg. GitHub provides a nice set of instructions for how to generate a GPG key and adding it to your account, so I shall skip that as well.
I'm simply here to show you what happens when someone spoofs another user's credentials and makes malicious commits.
See the Verified and Unverified flags?
You can easily prove your own commits simply by adding a set of GPG keys into your account.
What about if we go one step further and require all commits to be signed?
And now we make another malicious edit and attempt to push again!
Your million dollar git repository is now safe from user spoofing just from two easy and simple steps.