[JonChesterfield]

Comments seem split between "that's illegal, beware the lawyers" and "don't RCE yourself then cry about it".

I've got some bash scripts on GitHub that would delete files on the local machine if run. Today I don't care if anyone else runs them. If however the winds are blowing towards people doing themselves harm with my code is my problem, I guess I should delete the code I've published.

Bad precedent to see here.

[encryptluks2]

Big difference between random code on GitHub and modifying a high-use JS dependency to delete user files. I'm not against protesting in software, for example printing something to stdout during install, but deleting files is malicious beyond reprieve.

[JonChesterfield]

Maybe, I'm not totally confident about there being a meaningful difference.

If the former counts as distributing malware, my bash script that clobbers local directories to put the machine back into a sane default state might be too. It does rm -rf ~/$DIR and similar. It's just not as successfully deployed.

Or software that wastes resources, maybe it goes into an infinite loop and DoS the local CPU. I've got one of those called 'heater' or similar that I used to warm up a macbook in a cold office. If someone ran that on cluster it would be unhelpful.

Maybe the change in functionality to malware from a widely shipped useful product is the key distinction, coupled with limited disclosure of the behaviour change.