Skip to content
Discussion options

You must be logged in to vote

This is a known friction point for security researchers. Here is how to work around the Cloudflare block and get your malware reports through:

Why Cloudflare blocks security researchers

Cloudflare's WAF (Web Application Firewall) sometimes flags security-related content in form submissions — package names, malicious URLs, shellcode snippets, etc. — as attacks, blocking the submission. This is a false positive triggered by the content of your report.

Workarounds

Option 1: Use the npm security email (most reliable)

Send your report directly to the npm security team:

security@npmjs.com

This bypasses all web forms. Use this format:

  • Subject: [SECURITY] Malicious package: <package-name>
  • Body:

Replies: 3 comments

Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
0 replies
Answer selected by Alanxtl
Comment options

You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
npm
Labels
Question Ask and answer questions about GitHub features and usage npm Discussions around programming langages, open source and software development Welcome 🎉 Used to greet and highlight first-time discussion participants. Welcome to the community! source:ui Discussions created via Community GitHub templates
4 participants