It isn't disguised as anything. If you included a random module in your application package manager, and allowed it to update itself and run scripts then liability is on you for not verifying it and checking the license to see if they provided any warranty.
But is this really a "warranty" issue? Sounds more like a fraud issue (ianal).
Given it was done with the intention of messing up other people's computers which the maintainer did not have legit access to - maybe its even a CFAA criminal hacking issue (ianal).
Anyways, there's a huge difference between accidentally doing something and doing something with the specific intention of hurting someone else. Sure you can disclaim responsibility for accidents & negligence, but i'm pretty sure you can't disclaim responsibility for intentionally malicious conduct in a contract, certainly you wouldn't be able to do so if it was criminal conduct (IANAL).
If someone hands out free food on the corner with a sign that says you aren't entitled to it and so you get used to getting free food there. In fact, you've found ways to save on your budget because of it. You also optimized your route home from work to get there at the most convenient time.
One day, you show up and they have a sign up that says... No more free food, vote for Bernie. Are you really the type to complain that now you have to pay for food again or find someone else to give you free food, and throw a fit that their vote for Bernie sign is a trojan?
It's software, not consumable carbohydrates. Easily copied infinitely once created. Nobody is arguing he doesn't have to stop making it. Nobody is even arguing he doesn't have the right to delete his tepos. What he did was intentionally poison the templates to trigger automated updates to break other people's software, and that's just not okay. Forget the machines... It's simply misanthropic behavior.
But he didn't withdraw his offering he sabotaged it.
I guess the metaphor would be if you gave out free food all the time with a sign saying people aren't entitled to it, and then one day decided to add laxatives to it because you felt the people were ungrateful.
Which would land you in jail for a long time no matter what the sign said.
No, the person giving free free food here did not go up to people's houses saying here is free food still, eat it cause it is yummy and safe. The people getting the free food showed up cause they felt entitled, grabbed whatever they could find and said... oh, this isn't the free food that I'm used to getting here... oh, and I forgot to read the sign that has been there all along.
This analogy doesn't work the way you want it to. What you are describing would be literally illegal.
The person who put up the free food and the sign, after it was proven that they willfully poisoned the food (which is the only way I can interpret intentionally encoding an infinite loop in your testing library), would be liable for assault. You cannot just put up a sign that says "taker beware" to indemnify yourself from liability, especially after establishing the pattern that the food is safe.
If you ever wondered why grocery stores throw out perfectly good food (and sometimes padlock their dumpsters) rather than donate it to shelters, it's because this is how society works. They have to be clear that even food being thrown away is not intended to be free for the taking because if a pattern becomes established of people eating safe food out of a grocery store dumpster and one day that food is not safe, the grocery store can be held liable for injuries. Even if the grocery store never wanted anyone to use that food. The hard part would be proving the store intentionally poisoned it... But if that proof were made, the law is clear on who is responsible for the harm caused, and it's not the people eating out of the dumpster.
The underlying philosophical principle that underpins all of this legal precedent is "Don't intentionally cause harm." Marak broke that principle. Thank God Marak was only writing npm libraries and didn't own a grocery store.
This entire story, from the initial changes through the breakages through third parties intervening to mitigate their services being used to cause the breakages through other third parties stepping in to take responsibility to continue maintaining the code that had become vital, is one big open source community success story. The community interpreted intentional harm as damage and routed around it. And that was always one of the intended benefits of the open source approach, right? That the creator of the software can't ruin your day because they feel like it? Whether that creator is an evil corporation refusing to open their proprietary code, or a rogue actor deciding to take a sledgehammer to the pipeline... Open source mitigates the harm caused by both.
