They are not. And there would be absolutely nothing wrong with them no longer maintaining the package, deleting it, or with the package not working.

The issue here is spreading actual malware. A developer doesn't owe anything to anyone.

But actually and actively harming others trough actual malware is unethical even if someone didn't promise they wouldn't do so.

If I give someone a piece of food that I expressly don't guarantee anything about, the worse one would assume is that it might be spoiled and I didn't check, or that the ingredients may be of very law quality. Not that I actually purposefully poisoned it.

I don't know. Going from same example, if you give me food with a note on it saying "I don't be liable for anything, I am not giving any guarantees. And if you'd like to give this food to someone else, you must give a copy of this note too.", poison possibility is not off the table.

Anyway, I understand the frustration of people who got broken tests, but just noting the different angle.

I think what you're missing is that this discussion is not about the legal consequences of these individuals, but about ethical decisions that will have a negative impact on the ecosystem as a whole.

Tbh I don't see an ecosystem here, there are some dots which are connected but seems like people are thinking there is a liable vendor polishing npm packages..

Also I'm not sure which one is more unethical: Malware from a random developer or profiting over his/her "free code" * by not giving any care about open source or sustainability of it at all.

* (in the view of big corp)