I would say colors.js definitely can be considered malware. He in effect intentionally spinlocked a lot of packages either directly or indirectly via transitive dependencies, and also intentionally bypassed common semvar rules to maximize the damage.

whether or not those packages should have been affected is another discussion, but it appear it probably had more of an effect on other open source packages and perhaps the work of small mom and pop companies rather than huge corporations.

To an automated protection system that detects “repo deletion + index.html rant” commits, deleting the codebase and updating the README would red flag instantly except for the different filename, and catch lots of garden-variety intrusions.

The deletion here was more complex, and most likely a human was assigned to review user reports to GitHub Security, who accurately determined it was a defacement from someone claiming to be the author’s credentials.

Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.

> Turns out the author was the attacker, and with that confirmed, it appears that their access was restored so they could proceed with it.

I suspect this is how it played out as well. In fact, there was a lot of people on Twitter who were questioning whether the author really got suspended since he was posting to github a day or two after he posted his suspension picture.

Like I said above: if that really was how it happened, I would be totally okay with that, and it's completely understandable. But without a public statement from Github on such a visible and public controversy, we're left to speculate on their motives. Many people here disagree about why and whether Github should have or did suspend Marak. I would say that your view is the maximally charitable view to Github themselves. And frankly it's very likely to be true. But it seems like a lot of people believe that Github should have suspended his account, and I disagree with that.

People don't just believe his account should have been suspended, they feel that he should be prosecuted and charged with civil tort given the comments. I think they are ridiculous Karens who would destroy open source in a heartbeat given the opportunity.