Happily, the version my installed eslint contains is later:
% npm info eslint|grep scope
Interesting attack: Collect one bad password, use that to get someone's npm credentials, push a virus that uploads more peoples' npm credentials. Soon they could have had every package infected. Only being watchful prevented catastrophe.
Repeating my Password lesson: Use strong passwords. Do not ever reuse passwords.