If you spew projects laced with hidden malware into an open source repository, don’t waste your time telling us “no harm done” afterwards.