[celticninja]

Is it unauthorised if a user chooses to add the package themselves? This is not being put into anyone's machine clandestinely. It is the software user's responsibility to ensure the software is doing what you expect.

[orbz]

IANAL, but I suspect that it is considered unauthorized as there are many avenues in which a dependency will get updated without a user specifying this exact package and version. I think the key here is that there is clear malicious intent.

[Adraghast]

I rather doubt grandma pressing OK when asked to install the CoolWebSearch toolbar would hold up as a legal defense.

[jaimex2]

Upto a court to decide. Turns out he's in California which has laws against writing and distributing malicious code.

He's looking at state level:

if charged as a misdemeanor, the crime is punishable by: imprisonment in county jail for up to one year, and/or a maximum fine of $5,000.6

If charged as a felony, the offense is punishable by: imprisonment for up to three years, and/or a maximum fine of $10,000.7

Federal charges I'm not sure about.

[mannerheim]

Laws are enforced by people. I doubt any prosecutors will care, and if there are, I doubt any jury will convict.

[sva_]

Whats up with the .6 and .7?

[Adraghast]

Probably section numbers that copied and pasted weirdly.

[planetree]

inflation