I built an Express.js middleware that detects bots using behavioral scoring — and published it to npm

Ever watched your “protected” Express API get farmed by bots anyway? You add IP rate limiting… they rotate IPs. You add CAPTCHAs… your users hate you. You add a WAF… your finance team hates you. So I built ShadowShield — a free, open‑source behavioral security middleware for Express that detects bots by analyzing how they make requests, not just how many . How it works Most rate limiters ask one question: “How many requests did this IP make?” ShadowShield asks five: rpm — How fast are requests coming in? error_rate — What percentage of requests return errors? entropy — How many different endpoints are being hit? cv_gap — How regular is the timing between requests? volume — How much data is being transferred? Each feature is normalized and weighted into a final risk score. If the score exceeds 0.5 , the IP is blocked. The cv_gap feature This is the most interesting signal. Bots are unnaturally consistent. A human using your API will have random gaps between requests — 800 ms, 2.3 s, 400