That is pretty evil.

Without signing attestation (both developer and code) there will be no way to find out who was responsible and stop the propagation. This will happen again.