The deletion of the account would not delete commits associated with it. The commit would still contain everything potentially malicious, plus a reference to an account that would be deleted. Which is actually worse, you cant track what code a malicious actor has contributed (easily). So the correct thing to do is take away login / deactivate the account, and then start going through all contributions and check them via the account that references all of this.