Yes, I installed it on a test site from the add new plugins page. The plugin is ShareThis or Share This. I’m in the habit of not giving plugins my email, so I’m pretty sure they harvested it from my account. I’d deleted the plugin as it wasn’t meeting my needs before receiving the email spam.
I didn’t want to mention it out in the open at all, my hope was there were proper channels to report it, because my thought was that it might be breaking a policy for hosting a plugin through wordpress.org. The other plugin doing it is Shareaholic.
When the plugin is first installed, it directly sends a one-time notification email to the admin of the WordPress install with a link to customer support, etc. The email is designed to help the user get started.
The email is handled similar to how WordPress now sends a notification email when automatic/background upgrades are done. ie. WordPress does not harvest email addresses and neither does Shareaholic. WordPress or the plugin directly sends the email.