The last spam I saw, linked to an Itch profile and had a link to Github. It was posted on a hacked account. I also saw images being used in spam comments.
And last time I checked, 2fa would not protect an account from being hacked and subsequently used for posting malware and comments. I hope they did improve or will improve that.
And to shame Itch's system, the account is still posting. I think it is like 500 comments in the last hours. While we do not see what the system blocks, the things we do see are often embarassing. While from the other side, users get blocked for things they do not understand.