Just because there might be a grey area in some cases, doesn't mean that you can't also distinguish some cases. Your example is clearly much more malicious than what the package author actually did.
This is obvious from the fact that GitHub won't suspend your account for releasing a new version of a package that has breaking changes... Clearly there is a scale here. The only disagreement is about where the line is.
IMO, if the package author had simply deleted the code - ie. published a new version with no functionality, then no action should be taken against them by GitHub or NPM. For this example, I think suspending the account is OTT, but I think NPM would be justified in reverting the package, since an infinite loop is somewhat malicious: and by that I mean that nobody would reasonably expect a package to hang just from importing it. If the package actually deleted data, then both the suspension and NPM revert would be justified.
This is obvious from the fact that GitHub won't suspend your account for releasing a new version of a package that has breaking changes... Clearly there is a scale here. The only disagreement is about where the line is.
IMO, if the package author had simply deleted the code - ie. published a new version with no functionality, then no action should be taken against them by GitHub or NPM. For this example, I think suspending the account is OTT, but I think NPM would be justified in reverting the package, since an infinite loop is somewhat malicious: and by that I mean that nobody would reasonably expect a package to hang just from importing it. If the package actually deleted data, then both the suspension and NPM revert would be justified.