❓ Strange Contributor Listed on Repository, Conflicting with Settings and Commit History :/

[AMR-M-ALSHAMEERI]

Select Topic Area

Question

Body

Hello community, I am encountering a bizarre and concerning issue on one of my personal repositories and I'm hoping someone can shed some light on what might be happening.

I have a repository where a strange, unknown user is being displayed as a contributor in several places, even though they were never explicitly invited or added.

The Conflict
Here are the specific, conflicting details I'm observing:

• Repository Contributors List (Main Page): The unknown user's avatar and name appear in the list of contributors displayed on the main repository page (often in the sidebar or under "Contributors").

• Settings Confirmation (Correct): When I go to the repository's Settings > Collaborators and teams, it correctly states: "There are no collaborators in this repository." This confirms I have not explicitly added them.

• Commit History Hijack (Most Puzzling): Whenever I push a commit from my local VS Code environment, even though the local commit details (checked via git log) clearly show my name and my email address, the commit on the GitHub web interface is displayed as being made by this strange user. This is the most alarming part.

Actions Taken So Far

• I have verified my local Git configuration to ensure my name and email are correct:

• git config user.name (Correct - my name)

• git config user.email (Correct - my email tied to my GitHub account)

I have ensured I am logged into my own GitHub account in VS Code.

I have checked for any unusual actions or webhooks in the Settings > Webhooks menu (none present)
SO,
How is it possible for an uninvited user to appear as a contributor, and more critically, hijack the authorship of my local commits when my Git configuration is correct and verified?
Any advice on how to diagnose and resolve this would be greatly appreciated. Thank you!

[ArianMakiabadi]

This isn’t actually someone getting access to your repo; it’s almost certainly commit attribution, not collaboration or hijacking.

A few important clarifications first:

• The Contributors list is built from commit history, not from invited collaborators. So someone can appear as a contributor even when Settings → Collaborators correctly shows “no collaborators.”
• On GitHub, the avatar/username shown on a commit is determined by the email stored inside the commit, not by who pushed it or who owns the repo.

So what’s happening is:
your commits are being authored with an email that GitHub is associating with that other user.

How to diagnose it properly:

1. Check the actual author info in a problematic commit (don’t rely only on git log):

git show -s --format=fuller <commit-sha>

Look carefully at both the Author and Committer name + email.

2. Check whether this repo is overriding your global git config:

git config --show-origin --get user.name
git config --show-origin --get user.email

If the output points to .git/config, then this repo has its own local configuration that overrides your global settings.

3. Verify the commit email on your GitHub account Go to GitHub → Settings → Emails and make sure the email you saw in step 1 is:

• added to your account
• fully verified

GitHub only links commits to accounts based on verified emails. If that email is not verified on your account, or is verified on someone else’s account, GitHub will show their username and avatar on the commit.

4. One more scenario that produces exactly what you’re describing is this:

You didn’t start from a clean folder; you started from a ZIP export that already included a .git/ directory.

This happens more often than people think, especially if:

• you copied a project folder from another machine,
• you unzipped a “starter project” someone sent you,
• you downloaded a repo as a ZIP from somewhere else, then uploaded/pushed it,
• or you extracted a folder that was already a git repo without realizing it.

Why it looks like “authorship hijacking” on GitHub

The .git/ folder is the entire identity + history of a repo. It contains:

• previous commits and authors,
• the original author email(s),
• and sometimes even local repo-specific config that overrides your global git config.

So even if git config user.name and git config user.email look correct globally, this repo might be carrying old metadata that GitHub links to that other user.

GitHub doesn’t guess who authored a commit based on who pushed it; it uses the author email inside the commit. If that email is verified on the unknown user’s GitHub account, GitHub will show their avatar/name on the web UI.

[Nishanth-nishu]

Explanation: Unknown Contributor & Commit Author Mismatch

This document explains why an unknown user may appear as a contributor in a GitHub repository and why commits may appear authored by another user.

Note: This behavior is not a security issue and does not mean someone has access to your repository.

Why an Unknown User Appears as a Contributor

GitHub defines a contributor as any account whose email appears in commits within the repository.

• This does not imply collaborator or write access.

• Contributors are inferred purely from commit metadata.

Therefore:

1. Settings → Collaborators shows none.

2. An unknown user still appears as a contributor (by design).

Why Commits Appear Authored by Another User

GitHub determines commit authorship only by the commit email, not by who pushed the commit.

GitHub's Process:

1. Reads the commit’s author/committer email.

2. Matches it to a GitHub account with that email verified.

3. Displays that account as the commit author.

This means one or more of the following is true:

• The email used in commits is verified on another GitHub account.

• An incorrect @users.noreply.github.com email was used.

• A global Git configuration overrides the repository configuration.

• Commits were created before fixing Git configuration.

There is no mechanism for a remote user to hijack commit authorship based on this behavior.

How to Confirm

Inspect an affected commit using the command line:

git show <commit-hash>

Check these fields in the output:

Author: Name <email>
Commit: Name <email>

If either email matches an email verified on another GitHub account, GitHub will attribute the commit to that account.

How to Fix

1. Set the Correct Email

Use an email address that is verified on your specific GitHub account.

Global configuration (recommended):

git config --global user.name "Your Name"
git config --global user.email "your_verified_email@example.com"

Optional (per repository):

git config user.email "your_verified_email@example.com"

2. Fix Past Commits (If Needed)

To fix the most recent commit:

git commit --amend --author="Your Name <your_verified_email@example.com>"
git push --force

Final Reassurance

• No one has access to your repository.

• No commits were hijacked.

• GitHub is behaving as designed.

• This is an email attribution issue, not a permission or security issue.

Summary

Concern | Explanation -- | -- Unknown contributor | Commit email attribution Authorship mismatch | Email matches another account No collaborators | Correct and expected