An unsolicited email (spam) I recevied today contained a long list of email addresses in the To field. So not only is it harassing but it's also leaking addresses. The domains in the list suggest they were harvested from some code repository: Redhat, Suse, Debian, IBM, Archlinux, Sourceforge and noreply.Github.com! Even have a guess which project it is. This could be happening on any public code repository, but I have a keen suspicion this taking place on Github.