[btown]

> The person said things like "how would anyone find out", "what does it matter", "everyone does it"

To me, this reads as a toxic person who would try to get away with these things if they hadn't been caught, and who could lead to a massive shift in ethics and morale if allowed to proceed unchecked. That's really alarming. Imagine if a person with this attitude was in a position where they were responsible for code safeguarding PII or other sensitive data (and arguably, this may already be true, e.g. if they were to introduce a security hole in their component). It's essential that you document everything contemporaneously (or as close to that as possible), ensure the person's manager first knows your concerns in private - and if they don't take any action, give them the heads up that you'll need to escalate to your manager about potential ongoing legal risks. It will be annoying to navigate the politics, but it will be much more annoying if the wound festers.

Frankly, there's a lot of talent out there right now with great ethical compasses and experience with large codebases, and allocating headcount to a toxic person simply isn't optimal in that context. And even if you're in a situation where a dismissed team member won't be replaced e.g. due to hiring freezes... this person may very well be having a negative effect on the team. Just first make sure that they're not someone's kid... and good luck!