-
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Based on what you've shared, I don't think npm is intentionally blocking security researchers. This looks more like Cloudflare's automated protection flagging something about the request rather than the report itself. A few possibilities come to mind:
Since you've already had many reports successfully reviewed and resolved, that suggests your account has a history of legitimate submissions, so I'd be surprised if this were related to trust in the reporter. If you continue seeing the block, I'd recommend collecting the Cloudflare Ray ID, timestamp, browser information, and whether you were using a VPN or residential connection. Those details should help the npm team trace the specific Cloudflare event and determine which rule is being triggered. I'm not aware of a public allowlist for frequent reporters, but if this is a recurring false positive, hopefully the security team can review the Cloudflare logs and either adjust the rule or suggest a more reliable reporting path. Thanks for taking the time to report malicious packages—it's an important contribution to the ecosystem. |
Beta Was this translation helpful? Give feedback.
-
|
This is a known friction point for security researchers. Here is how to work around the Cloudflare block and get your malware reports through: Why Cloudflare blocks security researchersCloudflare's WAF (Web Application Firewall) sometimes flags security-related content in form submissions — package names, malicious URLs, shellcode snippets, etc. — as attacks, blocking the submission. This is a false positive triggered by the content of your report. WorkaroundsOption 1: Use the npm security email (most reliable)Send your report directly to the npm security team: This bypasses all web forms. Use this format:
Option 2: Use GitHub's security advisory formSince npm is owned by GitHub, you can also report via: Option 3: Reduce WAF trigger contentIf you must use the web form:
Option 4: Use a VPN or different networkCloudflare blocks are sometimes IP-reputation based. Switching networks may help. Option 5: npm abuse report formTry the direct abuse report URL: Select "Report a package" from the category dropdown. Thank you for contributing to npm ecosystem security — these reports are genuinely valuable! 🛡️ |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your efforts in reporting malicious npm packages and helping improve the security of the ecosystem. A Cloudflare block doesn't necessarily mean your account has been restricted. In many cases, it can be triggered by automated security rules based on factors such as request frequency, browser configuration, VPN/proxy usage, IP reputation, or unusual traffic patterns. To help the npm Security team investigate, I'd recommend providing: The Cloudflare Ray ID shown on the block page. Since you've successfully submitted many legitimate malware reports in the past, mentioning your history of accepted reports is useful context. The npm team may be able to determine whether this is a false positive and advise whether an allowlist or another reporting method is available for trusted researchers. Hopefully they can review the Cloudflare logs associated with the Ray IDs and identify why your requests are being blocked. |
Beta Was this translation helpful? Give feedback.

This is a known friction point for security researchers. Here is how to work around the Cloudflare block and get your malware reports through:
Why Cloudflare blocks security researchers
Cloudflare's WAF (Web Application Firewall) sometimes flags security-related content in form submissions — package names, malicious URLs, shellcode snippets, etc. — as attacks, blocking the submission. This is a false positive triggered by the content of your report.
Workarounds
Option 1: Use the npm security email (most reliable)
Send your report directly to the npm security team:
This bypasses all web forms. Use this format:
[SECURITY] Malicious package: <package-name>