Who is at fault here, the developer who pushed the changes or the developer who pulled the malicious code?
@johnabs You make a good point referring to the MIT, which I totally overlooked.
The grey cracking reminds me of something that I am currently dealing with by creating a greasemonkey script for the social media platform Minds.com. By modifying the look and feel, which is kind of a grey-zone in their terms.
@barefootstache Glad I was able to provide a perspective you hadn't considered yet! :)
Also, for modifying Minds (or at least the interface you view in your browser), their terms ultimately don't have any sway over the software you choose to run on your computer, including the HTML/CSS/JS/etc. they are serving you over the web; this is why ad-blockers aren't illegal. If the script is hiding/showing certain elements on the page and not attempting to access or modify the back-end or send "3rd party" requests via an unofficial API, what you're doing is completely legitimate.
@johnabs thanks for the clarification
@barefootstache Both but with varying degrees of accountability.
Clearly the developer was willing to risk his reputation to try to effect change. He is within his right to do so, as it is ultimately up to the users of his "product" to verify that any changes made are non-malicious and will not impact their system, without just blindly pulling them. Especially since the MIT license includes the following tidbit:
"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE."
With that said; I would say this may not be the best idea. If you want to do some morally grey cracking, at least try to anonymize it and don't directly link it to a well-respected open source project. It may damage FLOSS's reputation in the long run.