Version 3.7.2 of the popular package `eslint-scope` was published without authorization ( see
https://github.com/eslint/eslint-scope/issues/39 ). This version contained apparently malicious code that attempted to steal npm login tokens. It has been unpublished and is no longer available.
npm is aware of this issue and is actively taking steps to investigate, identify and notify affected users, and further protect our users.
Your npm login token does not give an attacker your npm password. You can revoke all existing tokens by visiting
https://www.npmjs.com/settings/~/tokens .