It's incredible that he's doing all this ... on the world's most popular open-source hosting platform, which is built on (and fucking named after) the source control software that inspired it, and where preserving historical versions of everything (comments, pull requests, text, issue titles, source code, etc.) is a fundamental feature. Anyone can go back in any issue's history or the repository's commits to see the original discussions and nefarious deeds. That and all the "juicy" stuff has been well-preserved by all sorts of people, has hit the search engines and has even formally documented at NIST as a vulnerability.
There's no erasing this now. This is a profoundly stupid person.
No. /g/ has been flooded with trolls (and idiots, I assume) all smugly proclaiming "but muh license!" indemnifies this idiot against damage claims. They're wrong, of course.
A license agreement cannot indemnify a party from prosecution for a crime they commit. Whether a piece of paper two people agreed to says "if you use my software you have to accept anything and everything it does" or not, pwning a computer system is still a crime. The vector of attack (and the license agreement governing it, if any) is irrelevant.
Consider the current plague of software-as-a-service. If you pay for a year of access to Adobe Photoshop, if you stop paying after that year, all they do is stop the software from working for you until you pay for it again. They don't go through your filesystem to delete anything you created with it (or just files at random). I don't doubt it's crossed their minds, but their lawyers have probably warned them they'll get in hot water for that. Even just holding a customer's data hostage on their own computers while resolving a payment dispute is a legal grey area.
This guy? He wrote malicious code with no legitimate purpose (i.e. his users would never want it to be triggered and perform its actions on their own systems), obfuscated it (a little), snuck it into an update without disclosing it or warning anyone and allowed it to be released and deployed. When confronted he openly acknowledged he did it to cause damage to specifically-targeted computer systems, then when he realized he'd made a big mistake he quickly began (poorly) trying to cover his tracks.
Null is spot on -- this was malware. You can't protect yourself from legal action or prosecution just by saying "lol I can do what I want" in the license agreement.
ETA:
This is standard operating procedure for Microsoft: embrace, extend, extinguish.
VS Code and WSL are the "embrace" phase (get everyone hooked on their tools and ecosystem). Typescript is the "extend" phase ("it's our flavor of Javascript! Totally backwards-compatible, but with more features!"). Screwing with the Javascript standards is the beginning of the "extinguish" phase ("everybody uses this anyway, so why not make it the new standard and throw out this old-and-busted ES5 stuff? Our technology includes all its features anyway! Why no, we'll never lock it down and/or remove features, why would you ever think that?").
And a typical one.