The .NET community was alerted on August 8, 2023, that the Moq testing library exfiltrates developer emails from their development machines and sends them to third-party remote servers as part of an experiment to fund the maintainer's work. The library, which has been downloaded over 475 million times, uses a new build-time behavior to extract email addresses from git user profiles and send them to an Azure blob storage service, which interacts with a third-party SponsorLink service. This incident raises concerns about supply chain security and the responsibility imbalance in open source software development maintainers pursuing sponsorship and recognition for their work. To mitigate this issue, developers are advised to remove the 4.20.0 dependency, block it in package management tools, consider re-routing DNS records associated with SponsorLinks, and add Snyk to their CI or build workflows to detect security vulnerabilities.