@alx

1/ not that I know of
2/ I don't think there are known vulnerabilities that allow to forge a note's author (as long as neither your instance or the other person's instance is compromised), so the most probable scenario is that the account's password has been leaked / compromised.

I'd report the post as "possible account hijacking?" and make sure to forward the report to the origin instance. If the admin finds a pattern, they could suspend the account and contact the user via email.