ESLint

registrynpm

package nameeslint

maintainerESLint Team / OpenJS Foundation

ESLint is the standard JavaScript and TypeScript linter, used in virtually every modern frontend and Node.js project. It reads every source file in the linted scope and loads all configured plugins and rules. ESLint runs in developer environments and in CI/CD pipelines.

api usage

Checking ESLint

eslint 9.9.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=eslint&version=9.9.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "eslint",
  "version": "9.9.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Linter packages run in CI/CD pipelines with access to all project source files and environment variables. A compromised ESLint core or plugin can exfiltrate source code or CI secrets during any linting pass.

Attestd monitors eslint using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TypeScript Prettier Response fields