Who is at fault here, the developer who pushed the changes or the developer who pulled the malicious code?
@barefootstache Both but with varying degrees of accountability.
Clearly the developer was willing to risk his reputation to try to effect change. He is within his right to do so, as it is ultimately up to the users of his "product" to verify that any changes made are non-malicious and will not impact their system, without just blindly pulling them. Especially since the MIT license includes the following tidbit:
"THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE."
With that said; I would say this may not be the best idea. If you want to do some morally grey cracking, at least try to anonymize it and don't directly link it to a well-respected open source project. It may damage FLOSS's reputation in the long run.
@johnabs You make a good point referring to the MIT, which I totally overlooked.
The grey cracking reminds me of something that I am currently dealing with by creating a greasemonkey script for the social media platform Minds.com. By modifying the look and feel, which is kind of a grey-zone in their terms.