Comment by retlehs

As others have noted, the emails frequently include the sender's actual GitHub username or organization in the body or signature.

Attribution isn't speculative. The DKIM/SPF headers show the messages are authenticated and sent through the company's own mail servers, signed by their domain. These are not spoofed "joe@legitbusiness.com" messages. I include the original headers in every abuse report.

In several cases I've engaged directly. One founder replied to my "stop spamming" email and later sent me a LinkedIn request. When the name in the signature, the GitHub profile, the authenticated sending domain, and the LinkedIn account all align, the hacked-account explanation no longer fits the facts.