To follow up, I've downloaded all of the versions indicated here and none include the strings `raw/XLeVP82h`, `sstatic1.histats.com`, nor `statcounter`, and none of the included `build.js` files contain `eval`. Not an exhaustive test.

Further follow up: I've updated the gist to include all packages between the time at which the first compromised package was uploaded and the time at which the keys were invalidated (which was later than the invalidation threshold). I'm working on auditing the larger (~2000) list of packages now.

Final follow-up: a more-exhaustive search also returned no evals in build.js files, nor any obviously-suspicious strings.

Have you checked for

    \u0065val

or

    e\u0076al

or any other combination of it?

This is impossible in general.

  eval === this[[1,18,-3,8].map(x=>String.fromCharCode(x+100)).join("")]

https://jsfiddle.net/hkvu9s47/

That's the point. That just checking for occurrences of strings like 'eval' just gives you false sense of security.