The precursors to such a situation don't have to be exceptionaly unusual. It could be someone working in a language that is not normally compiled ahead of time and shipped in binary form (e.g. malicious Javascript). Even if not accompanied by a license, the code just has to use pieces of some open source work so that it is a derived work. That malware author is then effectively a contributing author, whether aware of it or not.

> the person whose computer was damaged would have to navigate multiply jurisdictions and explain something technical to a court, likely as an individual.

Easily done if the person is actually a mega corporation.

Though [re-reading parent] if we are specifically concerned with contributions that were accepted by a non-malicious upstream under good faith and then turned out to be malicious, then that is something else.