Skip to content

fix: remove npm due to Cloudflare WAF blocking all requests#2841

Open
juliosuas wants to merge 1 commit intosherlock-project:masterfrom
juliosuas:fix/npm-cloudflare-false-negative
Open

fix: remove npm due to Cloudflare WAF blocking all requests#2841
juliosuas wants to merge 1 commit intosherlock-project:masterfrom
juliosuas:fix/npm-cloudflare-false-negative

Conversation

@juliosuas
Copy link
Copy Markdown

@juliosuas juliosuas commented Mar 28, 2026

Problem

npm (npmjs.com) now uses Cloudflare WAF challenge protection that returns HTTP 403 for all profile page requests, regardless of whether the username exists. This causes consistent false negatives — Sherlock can never detect an npm profile.

$ curl -sI 'https://www.npmjs.com/~kennethsweezy'
HTTP/2 403
cf-mitigated: challenge

Both existing (~kennethsweezy) and non-existing usernames receive identical 403 responses with cf-mitigated: challenge headers.

Fix

Remove the npm entry from data.json. The Cloudflare challenge requires browser-level JavaScript execution that can't be solved with simple HTTP requests.

This is the same pattern as 1337x and Giphy (see #2835).

Fixes #2628

@juliosuas
fix: remove npm due to Cloudflare WAF blocking all requests
ff83763 
npm (npmjs.com) now returns HTTP 403 for all profile requests due to
Cloudflare WAF challenge protection. This causes consistent false
negatives since sherlock's status_code detection treats non-2xx
responses as 'not found'.

Both existing and non-existing usernames receive identical 403
responses, making reliable detection impossible without browser-level
challenge solving.

Fixes sherlock-project#2628
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False negative for: npm

1 participant

@juliosuas