Happily, the version my installed eslint contains is later:
% npm info eslint|grep scope
eslint-scope: ^4.0.0
Interesting attack: Collect one bad password, use that to get someone's npm credentials, push a virus that uploads more peoples' npm credentials. Soon they could have had every package infected. Only being watchful prevented catastrophe.
Repeating my Password lesson: Use strong passwords. Do not ever reuse passwords.