Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
show comments
scottydelta
YC is a proud investor in Flock, what YC Ethics thing are you talking about?
show comments
an0malous
Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.
keiferski
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
show comments
dathinab
As a side note unsolicited advertisement of this kind is illegal in Europe.
And them claiming "they didn't know" can be dismissed given that many dev on GH have location information set.
It also in general doesn't change anything. the law doesn't care if you know or didn't.
Startups starting out their journey by committing crime is always a grate sign for their trustability.
unfunco
I also had unsolicited spam from Vincent Jiang of Aden, another YC company.
Hi Daniel,
I just came across your profile on social media and wondered if you'd be interested in joining our Discord community for AI agent development. Currently, we see that agents break, loop, get lost, hallucinate, and cost a fortune, and therefore built a space where developers can share challenges and insights.
show comments
elwebmaster
Just got a SPAM email from a Github scraper while reading this thread:
From: james@techglobal.website
Quick note – your GitHub profile
Hi X,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Regards,
James
If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.
We are keen to get your feedback, and star if feeling generous.
Thanks a million
show comments
kristoff_it
I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
show comments
neya
This is atleast fine as it's just spam, I got pulled into an actual scam and it never made it to the frontpage.
I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.
I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.
show comments
callamdelaney
YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.
This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
show comments
WhatsName
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
show comments
LeoPanthera
They scrape "Show HN" as well. I got put on a list and continue to get spam to this day.
coffeecoders
For me, its those Who's hiring or Who wants to get hired posts. I used a throwaway email once and got emails about SEO and AI projects.
I don’t engage. I mark as spam, block the sender/domain, and move on.
ttul
Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.
scirob
This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions
mustaphah
Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."
I immediately realize it's engagement farming + free labor. I said "No thanks."
Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"
Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)
That's nothing. Former/current YC founders are also abusing BookFace.
I did YC and now work at a frontier lab.
I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.
ChrisMarshallNY
I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
show comments
oefrha
Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.
scosman
I’m also getting “saw you on GitHub” spam from voice.ai
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.
theturtletalks
General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
show comments
jedberg
FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.
EdNutting
My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
show comments
pmdr
People here assume that YC is some kind of ethics benchmark for business. It's not.
6thbit
I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?
They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one.
is that a feasible thing to ask for?
show comments
pscanf
I was also spammed (twice) by voice.ai.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
show comments
apparent
Even before AI, I found it super annoying when I got spam from companies touting their YC cred.
They're literally hurting their own brand, as well as YC's.
b8
Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.
danbrooks
I got some emails like this from overseas developers looking to borrow my Linkedin to land a higher paying job.
ttoinou
Couldn’t github replace all public commits author info email by a username@author.github.com email automagically ?
show comments
lordgrenville
Maybe a dumb question, but isn't this trivially solved with this .gitconfig?
[user]
name = lordgrenville
email = <some_kind_of_id>+lordgrenville@users.noreply.github.com
show comments
bakugo
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
show comments
suprjami
Big deal, so does every other company.
If you're lonely just upload a few AI keywords to a repo. You'll get emails forever.
ting0
Change your email to something like: myemail+gh@mail.com (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.
show comments
tom_m
Happens all the time.
malmeloo
Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.
They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.
Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.
I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?
j16sdiz
Over many years, I have got email from university for survey / research.
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml
rlaabs
I've received the exact same email from the same company.
outloudvi
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
show comments
jacquesm
Sometimes they also scrape HN profiles, it is most irritating.
insane_dreamer
I get these types of emails daily -- never bothered to check whether they are YC or not as I don't read them; I can tell from the first sentence that it's not a company I know and am doing biz with and it goes directly into z-file. Most seem to have gotten my email address from LinkedIn, others from GH.
Side note but the trick I learned, at least with gMail is not to delete the email (which doesn't prevent you from getting new ones), or even reporting as spam (which may or may not work), but instead dragging it into the Promotions tab, into which all future emails from that email address will automatically go. Promotions tab then acts as your Trash.
The quickest way to get me to never do business with you is to send me spam.
axegon_
I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
show comments
rodrigodlu
I did receive these kinds of emails as well.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.
hmokiguess
HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.
show comments
idoxer
I also received this shitty email 3 days ago
nprateem
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
koakuma-chan
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
show comments
ValentineC
> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.
Martin from GitHub here. This type of behaviour is explicitly against the GitHub terms of service, when we catch the accounts doing this we can (and do) take action against those accounts including banning the accounts. It's a game of whack-a-mole for sure, and it's not just start-ups that take part in this sketchy behaviour to be honest. I've been plenty of examples in my time across the board.
The fundamental nature of Git makes this pretty easy for folks to scrape data from open source repositories. It's against our terms of service and those folks might want to talk with some lawyers about doing it - but as every Git commit contains your name and email address in the commit data it's not technically difficult even if it is unethical.
From the early days we've added features to help users anonymise their email addresses for commits posted to GitHub. Basically, you configure your local Git client to use your 'no-reply' email address in commits and that still links back to your GitHub account when you push: https://docs.github.com/en/account-and-profile/reference/ema...
I think that's still probably the best route. We want to keep open source data as open as possible, so I don't think locking down API's etc is the right route. We do throttle API requests and scraping traffic, but then again there have been plenty of posts here over the years from people annoyed at hitting those limits so it's definitely a balancing act. Love to know what folks here think though.
YC is a proud investor in Flock, what YC Ethics thing are you talking about?
Ever wonder why YC has the "Describe a time you most successfully hacked some system to your advantage" question? It's because they select for founders that are willing to take advantage of legal gray areas. Airbnb repeatedly violated Craigslist terms of service and called it "growth hacking." Reddit stole content from Digg and faked users. OpenAI trains their models on copyrighted content.
I've spent a lot of my career marketing to developers, and spamming their GitHub account might be top 1 or 2 worst marketing tactics you can use.
Cold emailing rarely works by itself. Cold emailing developers via emails you pulled from their GitHub accounts? At that point, you're actively harming your brand, and may as well just send them spam diet pill ads.
As a side note unsolicited advertisement of this kind is illegal in Europe.
And them claiming "they didn't know" can be dismissed given that many dev on GH have location information set.
It also in general doesn't change anything. the law doesn't care if you know or didn't.
Startups starting out their journey by committing crime is always a grate sign for their trustability.
I also had unsolicited spam from Vincent Jiang of Aden, another YC company.
Just got a SPAM email from a Github scraper while reading this thread:
From: james@techglobal.website Quick note – your GitHub profile Hi X,
I came across your profile on GitHub. Given you're based in the US, I thought it might be relevant to reach out.
Profile:
I run a technical team (full-stack, cloud, DevOps) that delivers for clients. We're looking to work with an engineer based in the US on client-facing coordination—discovery, requirements, alignment—while we handle delivery. If that might be relevant, I'd be glad to set up a short call.
Regards, James
If I had to guess, "James" is a North Korean looking to scam US clients, based on my experience with shady actors.
I remember this being discussed a while ago
https://news.ycombinator.com/item?id=9332418 (11 years ago)
https://news.ycombinator.com/item?id=20660624 (7 years ago)
https://news.ycombinator.com/item?id=27855152 (5 years ago)
https://news.ycombinator.com/item?id=30900237 (4 years ago)
Seems it’s a reoccurring issue
Got this spam today on my GitHub address, YC affiliated:
From: henry@joincactuscompute.com
Hey,
I hope all is well with you, just reaching out as you seem to be interested in on-device speech models.
Cactus is a low-latency AI engine for consumer devices like phones, Macs, wearables, Raspberry Pis, etc.
We support transcription models like Whisper & Parakeet, benchmarks available in the attached GitHub repo.
GitHub: https://github.com/cactus-compute/cactus
We are keen to get your feedback, and star if feeling generous.
Thanks a million
I have received over the years so much spam of this kind by multiple YC-funded companies that I now reflexively send to spam any email that mentions being YC-funded, regardless of how legitimate the email is.
This is atleast fine as it's just spam, I got pulled into an actual scam and it never made it to the frontpage.
https://news.ycombinator.com/item?id=45357205
I find it interesting that a substantial number of people seem to think it's wrong or unethical to cold-email someone about a potential recruitment or business opportunity if they post their email in a public place, such as commits in a public Github repo.
I feel like if you don't want companies to cold-email you, you shouldn't make your email public. Github provides noreply email addresses for this purpose.
YC is basically advising their startups to engage in shitty business practices, like trying to hire UK staff for half the salary and expecting 7 day weeks.
Email address privacy is a feature offered by Github and replaces your day to day email: https://docs.github.com/en/account-and-profile/how-tos/email...
This happens all the time, not really surprised as the GitHub API makes it pretty easy to extract valuable leads with real and confirmed email addresses.
Doesn't YC have some code of conduct or legal/ethical guidelines? I would assume a legal and compliance department would have some major headache if documented cases of misconduct jeopardize later due diligence. I would not fund or aquire a company on the radar of national regulatory bodies for something as stupid as this.
They scrape "Show HN" as well. I got put on a list and continue to get spam to this day.
For me, its those Who's hiring or Who wants to get hired posts. I used a throwaway email once and got emails about SEO and AI projects.
I don’t engage. I mark as spam, block the sender/domain, and move on.
Didn't AirBnB famously spam people in the Bay Area as a "guerilla tactic" to build the business in its early days? This kind of fast and loose behaviour seems standard.
This sounds decently targeted, why is it so offensive? Email marketing is far more democratic than Superbowl ads, give a small company a chance it's not hard to build something without the Superbowl millions
Even worse, I got contacted through YC Jobs (workatastartup.com) with a message that was basically: "Star, fork, and submit PRs to our open-source repo and we'll review you for a contract."
I immediately realize it's engagement farming + free labor. I said "No thanks."
Got this reply: "(...) I'm looking forward to reviewing your PRs. Feel free to share me any of your questions. (...)"
Apparently, no one read my reply - not even AI. They are automating this shit. It's sad that many fall for it (check their Github repo)
---
Company: Aden (W20)
Contact: Vincent Jiang, Founder
Github: https://github.com/aden-hive/hive
That's nothing. Former/current YC founders are also abusing BookFace.
I did YC and now work at a frontier lab.
I've received multiple spam-style emails from (mostly young) current founders tagging me and all other YC-alum at my place-of-work with the profiles of their friends for internship roles, referrals, etc.. Same girl has done it for like 5 different people.
I’m not especially bothered by this [yet -AI is likely to make this worse]. It’s a fairly insignificant component of my spam catcher. At least, it’s a bit focused.
Every day, I get deluged with hundreds of spam and scam emails, often because some knucklehead entered my email in a form (either accidentally, or as a throwaway red herring).
Yes, startups, recruiting platforms, and students/“researchers” with stupid surveys for their worthless “research” spam me all the time by scraping the email from GitHub. I immediately trash the first two categories; I send a sternly-worded reply to the third category.
I’m also getting “saw you on GitHub” spam from voice.ai
And they are using a different domain for the emails so the spam markers don’t hit their primary domain.
General advice would be to mark the email as spam or junk and hopefully their email platform penalizes them, but this has been working less and less. Email has truly become pay to play now.
FYI, there are whole companies built around this concept. You tell them which repos are interesting to you, and they give you a list of people who interact with that repo. They also de-anonymize the users so you can find them on LinkedIn or elsewhere.
My solution to this is to use a Github-specific email address. All emails sent to that address which do not originate from GitHub are immediately reported as spam, marked read and deleted.
I sometimes use different git/GitHub addresses depending on who I'm working for or specific projects so I can more accurately detect where data is being scraped from.
People here assume that YC is some kind of ethics benchmark for business. It's not.
I wish github could ammend the email of my commits to the private noreply address during push so they _never_ have any other email associated to them. May not be feasible due to the commit changing, confusing local branch and such?
They have this other thing where they reject pushes for the 'known' emails you've told them you have, but kinda seems there should be a setting to do that for any email that is not your noreply private one. is that a feasible thing to ask for?
I was also spammed (twice) by voice.ai.
You mention GDPR, which also "applies" to me, though I wonder if what they're doing is actually illegal. I mean, after all, I'm putting my email on GitHub precisely to give people a way to contact me.
Of course, I do that naïvely, assuming good faith, not expecting _companies_ to use it to spam me. So definitely what they're doing is, at the very least, in poor taste.
Even before AI, I found it super annoying when I got spam from companies touting their YC cred.
They're literally hurting their own brand, as well as YC's.
Boundaries don't exist really in tech and especially with emails. I just filter out spam and block a good bit. People just ignore stuff now a days even people saying hi passing someone in the street (which I stopped doing)? My colleges spam filter catches a lot of them. Your email is presumably already in data dumps.
I got some emails like this from overseas developers looking to borrow my Linkedin to land a higher paying job.
Couldn’t github replace all public commits author info email by a username@author.github.com email automagically ?
Maybe a dumb question, but isn't this trivially solved with this .gitconfig?
This sounded familiar, so I checked my inbox and I did indeed receive a similar email from sanchitmonga@runanywheresdk.com earlier this month:
> I came across your GitHub profile and thought you might be interested in what my team and I are building. We're developing an open source SDK that runs LLMs directly on-device.
What's even more interesting is that both buildrunanywhere.org and runanywheresdk.com show a stock hostinger parking page when accessed in a browser. Something tells me they're intentionally registering these "alternate" domains specifically for spam, to avoid tanking the email reputation of their main runanywhere.ai domain.
I guess I shouldn't be surprised given YC is going all in on AI and most AI companies are no better than the crypto scammers of yesteryear, but still.
Big deal, so does every other company.
If you're lonely just upload a few AI keywords to a repo. You'll get emails forever.
Change your email to something like: myemail+gh@mail.com (the "+gh" tag). You can put any tag/word there, and if you get spam from a company you'll be able to identify that it came from them scraping your GH. Then you can report it with certainty.
Happens all the time.
Oh I'm getting so tired of this. Lately there appears to have been an uptick in this kind of marketing spam too, there's so many companies trying to advertise their AI products this way. At least it's a good indicator of which companies I should avoid at all costs, and it provides me with an email address I can use to direct my angry emotions towards.
They're getting more aggressive at it too. Just yesterday I received an email from Alignerr (not YC affiliated I think) saying that my sign-up was complete and cheerfully welcoming me to their platform. I had never even heard of them. An automated "job opportunity!" email didn't arrive until 3 hours later, but by then I had already directed some angry words towards their support email.
Other, even less respectable projects are also regularly enrolling my GitHub projects into their platforms, and I have to actively reach out to them to remove it.
I'm so tired of this man. Can someone go and take away these organizations' ability to send emails?
Over many years, I have got email from university for survey / research.
This is not GitHub only, I have got a survey on how my experience interacting with folks on lkml
I've received the exact same email from the same company.
I usually check the "Received" header and report to the email service provider. Once in a while I receive a response saying the case is properly handled.
These providers are the only ones that care about their reputation and thus may take some action. Investors? Nope.
Sometimes they also scrape HN profiles, it is most irritating.
I get these types of emails daily -- never bothered to check whether they are YC or not as I don't read them; I can tell from the first sentence that it's not a company I know and am doing biz with and it goes directly into z-file. Most seem to have gotten my email address from LinkedIn, others from GH.
Side note but the trick I learned, at least with gMail is not to delete the email (which doesn't prevent you from getting new ones), or even reporting as spam (which may or may not work), but instead dragging it into the Promotions tab, into which all future emails from that email address will automatically go. Promotions tab then acts as your Trash.
The quickest way to get me to never do business with you is to send me spam.
I've received several similar ones over the years. At this point, if I get an email from someone I don't know and it contains a link, chances are it's spam. I genuinely doubt github(or any other company for that matter) would do something about it. While I fully support GDPR, the truth is, few people are willing to take action knowing how much bureaucracy would be involved...
I did receive these kinds of emails as well.
And I use a different email fromy priority email for GitHub commits since 4 years ago.
So just stop with marketing slop please.
Yes, I work with AI, and I'm becoming pretty good at it.
But this doesn't mean I'm comfortable pushing AI slop into potential users and customers.
I (and they) want to use AI to facilitate their processes, not to ingest slop content.
HN and YC walk a thin line between hacker culture and venture capitalist culture. I know it’s easy to think that because HN comes from YC them too are aligned with hacker culture, but no. YC is all cutthroat business.
I also received this shitty email 3 days ago
There's no reason to put your real email in git config unless you're signing, in which case repos should be private. I would have thought that was obvious.
I have been having the same experience. If you starred a GitHub repo, and they think that their product is similar, they will send you their spam. I condemn this! They should be ashamed!
> These emails indicate that those companies scrape people's Github activity, and if they notice users contributing to repos in their field of business, send marketing emails to those users without receiving their consent. My guess is that they use commit metadata for this purpose.
There are likely marketing email datasets floating around the internet that contain email addresses scraped from commit metadata.
I use a catchall with a specific Git client (not GitHub) email address, and found spam and phishing emails being sent there quite a few times.