Moq, a super popular NuGet package, included a dependency that harvested email addresses from the git.config files of all Moq users.
The behavior was removed, but by that point, it collected quite the data.
You don't need to have malicious/shady bejavior up for months... a few days in a super-popular library and the damage is done.