You can pretend there's no difference between this and a computer virus, but there clearly is.
The users of this software pull it, explicitly, voluntarily. The author says it doesn't serve any particular purpose, and in using it you understand that. the software itself did nothing malicious, it just stopped working. It's not the same thing as slapping a license on a computer virus and forcibly foisting it onto an unwitting victim. It's not naive legalese loophole workaround thinking. When you choose to use the software you agree to abide by the license, which includes no promise of utility whatsoever.
Those seem like different things since a computer virus "user" never consents to or accepts the license, whereas someone importing the library into their package.json has.
Eh, just write in the EULA exactly what your virus will do and that they have no warranty, bundle it as an add-on a la toolbar bundling in the 00s, and bam, you've got the user's consent to do anything!
He is responsible for his own behavior, and harming with intent is not a liability that can be waived in the US. This is literally first week of Contracts course material in law school.
But there was no harm or no intent to harm, the software just stopped working. Just because you rely on someone's work doesn't mean you can expect it to continue forever.
