eslint-plugin-anti-trojan-source

1.1.2 verified Sat Apr 25 auth: no javascript

ESLint plugin (v1.1.2) that detects Trojan Source attacks using Unicode bidirectional (bidi) characters in JavaScript/TypeScript code. It provides a single rule `no-bidi` that flags maliciously embedded Unicode control characters that can cause code to appear differently to humans vs compilers. The plugin includes a recommended configuration for easy adoption. Updated as recently as November 2025 but core functionality (single rule) stable since 2021. Inspired similar rule `detect-bidi-characters` in eslint-plugin-security. No dependencies. Actively maintained.

Common errors

error Error: Failed to load plugin 'anti-trojan-source': Cannot find module 'eslint-plugin-anti-trojan-source' ↓

cause Plugin not installed or missing from node_modules.

fix

Run npm install --save-dev eslint-plugin-anti-trojan-source.

error Configuration for rule "no-bidi" is invalid: Rule "no-bidi" is not valid ↓

cause Rule namespacing omitted; the rule must be referenced as `anti-trojan-source/no-bidi`.

fix

Use "anti-trojan-source/no-bidi" in the rules object.

error ESLint: Plugin "anti-trojan-source" was conflicted between "..." and "..." ↓

cause Plugin loaded twice from different config files.

fix

Ensure only one config file defines the plugin (e.g., move plugins to root .eslintrc).

Warnings

deprecated Consider using eslint-plugin-security's `detect-bidi-characters` rule instead. ↓

fix Switch to `eslint-plugin-security` and enable the `detect-bidi-characters` rule for broader security scope.

breaking ESLint flat config (v9) requires different configuration format; this plugin may not be compatible out of the box. ↓

fix Use legacy config format for now, or check plugin for flat config support. For flat config: `import antiTrojan from 'eslint-plugin-anti-trojan-source';` and include `antiTrojan.flatConfigs.recommended`.

gotcha Plugin only detects bidi characters, not all Trojan Source vectors like homoglyphs or zero-width spaces. ↓

fix Complement with other tools like `anti-trojan-source` CLI or use `eslint-plugin-security` for wider coverage.

gotcha Rule `no-bidi` can produce false positives on legitimate Unicode characters used in comments or strings (e.g., RTL language comments). ↓

fix Mark false positives with `// eslint-disable-next-line anti-trojan-source/no-bidi` (but ensure they are intentional).

Install

npm install eslint-plugin-anti-trojan-source

yarn add eslint-plugin-anti-trojan-source

pnpm add eslint-plugin-anti-trojan-source

Imports

Plugin config (extending recommended)
wrong
```
{
  "extends": ["plugin:anti-trojan-source/recommended"]
}
```
correct
```
{
  "extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}
```
The recommended config includes the plugin and sets the rule. ESLint requires both plugin and rule references.

Plugin config (manual)

wrong

{
  "plugins": ["eslint-plugin-anti-trojan-source"],
  "rules": {
    "no-bidi": "error"
  }
}

correct

{
  "plugins": ["anti-trojan-source"],
  "rules": {
    "anti-trojan-source/no-bidi": "error"
  }
}

ESLint automatically strips 'eslint-plugin-' prefix. Without prefix, the rule must be namespaced with the plugin name.

Rule name
wrong
```
"no-bidi"
```
correct
```
"anti-trojan-source/no-bidi"
```
The rule is namespaced under the plugin. Using just 'no-bidi' will not be found unless the plugin is loaded and scoped.

Quickstart

Install the plugin, configure via recommended or manual setup, and run ESLint to detect Trojan Source bidi attacks in your codebase.

npm install --save-dev eslint eslint-plugin-anti-trojan-source

# .eslintrc.json
{
  "extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}

# or manually:
# .eslintrc.json
{
  "plugins": ["anti-trojan-source"],
  "rules": {
    "anti-trojan-source/no-bidi": "error"
  }
}

# Create a file with malicious Unicode
# echo 'const isAdmin = false; // \u202E } \u2066if (isAdmin)\u2069 \u2066 begin admins only' > test.js
# eslint test.js
# Expected: error about trojan source attack