Knowingly?! Clearly every developer of an app breaking because of these packages had no idea their app is going to break, and clearly it was exactly the intention. They _were_ tricked.

Can you not see a difference between this and between releasing a new package with a README saying "this module will print 'liberty liberty liberty' to your console in an infinite loop!"?

So you're saying he also had to document his code? Maybe make a pull request.

Every developer is responsible for what goes into his project, including dependencies. When a developer wants to update a dependency, he is responsible for the appropriateness of the update. In order to get an idea, he should audit the changes. For personal code, such an audit may constitute of a quick skim to determine that nothing breaks. For production code, it may also include a security audit.

When a dependency that used to do X now does Y and therefore breaks your stuff, you are the one responsible for dealing with it. The author disclaimed any warranty and any fitness of purpose for his project, and whether his intentions make sense or not is of no consequence.

My point was that there is no such thing as "malicious code". Code is code, and it's your responsibility to determine whether it fits the context. That someone put it out there with an MIT license means the responsibility is yours.

P.S. Ata nishma bachur magniv, lama macharta et ha'autobus? OK, ro'e she'ata gar be-Sverige achshav (Scandinavia ze ha'chalom sheli) az mevin.