How can we prevent this? Can we not start forcing MFA for git pushes? Use your fingerprint, MFA, or yubikey - reject unsigned commits on public repos?