[markvdb]

This developer has every right to a nervous breakdown over the war in Ukraine.

The npm ecosystem distributing yet another malicious module is more serious though.

[rsstack]

There's no reason to excuse criminals over lack of enforcement.

[madaxe_again]

So he’s a criminal now? Under what law, of what nation? Russia?

[jaimex2]

Most countries have cybercrime laws that have clauses for malicious code. Here in Australia for example:

Cybercrime offences are found in Commonwealth legislation within parts 10.7 and 10.8 of the Criminal Code Act 1995 and include:

-Computer intrusions

-Unauthorised modification of data, including destruction of data

-Unauthorised impairment of electronic communications, including denial of service attacks

-The creation and distribution of malicious software (for example, malware, viruses, ransomware)

-Dishonestly obtaining or dealing in personal financial information.

[celticninja]

Is it unauthorised if a user chooses to add the package themselves? This is not being put into anyone's machine clandestinely. It is the software user's responsibility to ensure the software is doing what you expect.

[orbz]

IANAL, but I suspect that it is considered unauthorized as there are many avenues in which a dependency will get updated without a user specifying this exact package and version. I think the key here is that there is clear malicious intent.

[Adraghast]

I rather doubt grandma pressing OK when asked to install the CoolWebSearch toolbar would hold up as a legal defense.

[jaimex2]

Upto a court to decide. Turns out he's in California which has laws against writing and distributing malicious code.

He's looking at state level:

if charged as a misdemeanor, the crime is punishable by: imprisonment in county jail for up to one year, and/or a maximum fine of $5,000.6

If charged as a felony, the offense is punishable by: imprisonment for up to three years, and/or a maximum fine of $10,000.7

Federal charges I'm not sure about.

[mannerheim]

Laws are enforced by people. I doubt any prosecutors will care, and if there are, I doubt any jury will convict.

[sva_]

Whats up with the .6 and .7?

[Dma54rhs]

Pretty sure under any Western country's law?

[kevin_thibedeau]

Wikipedia TOS

[sva_]

Criminal because of violating Wikipedia TOS. Seems about right. /s