If you have two-factor authentication enabled and are receiving two-factor notifications—while not doing something that might trigger those—then it would seem prudent to change your Apple ID password to a new and robust snd unique password.
…If you think your Apple ID has been compromised - Apple Support
If you have re-used your password(s), please discontinue that practice, and reset all your passwords ro new and robust and unique values.
If younhave two-factor enabled and have not been performing activities that would prompt for verification codes, then it would seem your password might be known, but—if you have two-factor authentication enabled—that second factor has not been breached.
Scam messages and phishing messages are unfortunately also commonplace:
…Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support