I think what you're missing is that this discussion is not about the legal consequences of these individuals, but about ethical decisions that will have a negative impact on the ecosystem as a whole.
Tbh I don't see an ecosystem here, there are some dots which are connected but seems like people are thinking there is a liable vendor polishing npm packages..
Also I'm not sure which one is more unethical: Malware from a random developer or profiting over his/her "free code"
* by not giving any care about open source or sustainability of it at all.
Also I'm not sure which one is more unethical: Malware from a random developer or profiting over his/her "free code" * by not giving any care about open source or sustainability of it at all.
* (in the view of big corp)