This is so ass-backwards and you're practically twisting yourself over backwards a dozen times to somehow try to argue that this wasn't malicious. He basically poisoned the library, and you're blaming all the people who got poisoned because "they didn't fully inspect the contents of the code".
So do you disagree with the idea that it is his library?
If you agree that this is his library, do you believe what he did is different than a company changing their public API or deprecating them without any notice?
It’s deliberate sabotage and shipped as a routine update. If he’d walked away or made a breaking change in a major release, nobody would expect more.
Similarly, if it was a service everyone understands that those require money to operate but there’s no analogous reason to tell people to upgrade to deliberately broken code.
