0 / 0
Skip to content

How I Built a Package Tracker That Bypasses Anti-Bot Security

Posted on August 6, 2025

Hey there!

Note: This post is purely educational and documents my learning journey. The techniques described are for understanding web security mechanisms, not for circumventing legitimate security measures.

So, I had this interesting challenge recently. I wanted to convert a simple Node.js script into a proper executable for tracking packages. Sounds straightforward, right? Well, it turned into quite the adventure!

What started as a simple script conversion evolved into a full-blown investigation of sophisticated anti-bot security systems. And you know what? I actually cracked it!

The Beginning: A Simple Request

It all started innocently enough. I had a Node.js script that tracked packages from a popular package tracking website, and I wanted to make it a proper executable so I could pass tracking IDs as command-line arguments.

bash
#!/usr/bin/env node
// ... some tracking logic

I thought, “Piece of cake! Let’s just make this a proper executable and we’re done.”

Oh, how naive I was!

The Plot Thickens: Security Discoveries

As I started digging into the website, I discovered something fascinating. The site had this sophisticated security system that was generating these mysterious se parameters. Every time I tried to modify the tracking ID, I’d get this frustrating error:

json
{ "error": "RELOAD" }

It was like the website was saying, “Nice try, but I know you’re not a real browser!”

The Investigation Begins

I spent hours analyzing the browser’s JavaScript files, trying to understand how this se parameter was generated. I found these minified files:

  • application-456d3cad141a67c790f8.js
  • recent-tracking-b9c47e442a8eeb4fe8ca.js

And let me tell you, reverse-engineering minified JavaScript is like trying to read a book that’s been put through a paper shredder!

But I persisted, and I discovered something incredible. The se parameter was actually a browser fingerprint - it included things like:

  • Window dimensions
  • Screen size
  • Navigator properties
  • WebGL renderer info
  • Plugin detection
  • Chrome-specific data
  • Base64-encoded hostname
  • Error stack traces

It was like the website was taking a “photo” of your browser and using it to verify you were human!

The Breakthrough: Stealth Plugins

After many failed attempts to manually recreate this fingerprint, I had a lightbulb moment. What if instead of trying to fake being a browser, we actually used a real browser?

Enter puppeteer-extra and puppeteer-extra-plugin-stealth. These amazing libraries let you control a real Chrome browser programmatically while making it virtually undetectable to anti-bot systems.

The key insight came from discovering these stealth plugins myself. I was learning about browser automation and stumbled upon puppeteer-extra and puppeteer-extra-plugin-stealth. When I added these, suddenly everything started working!

The Solution: A Reusable Module

After all that detective work and learning, I created a clean, reusable module that anyone can use:

javascript
import { trackPackage } from './package-tracker.mjs'

// Just get the tracking data - no verbose output
const result = await trackPackage('CINL5344382461944')
console.log(result.status) // "transit"
console.log(result.origin) // "China"
console.log(result.destination) // "Netherlands"

It’s that simple! The module handles all the complex browser automation and security bypass automatically.

What I Built

Here’s what my final solution can do:

Track packages from any carrier supported by the website
Bypass sophisticated anti-bot security using stealth plugins
Work reliably in production with headless browser automation
Handle multiple tracking scenarios gracefully
Provide clean, structured data about package status
Support both CLI and programmatic usage

The Technical Magic

The real magic happens with these key components:

  1. Puppeteer with Stealth: Real browser automation that’s virtually undetectable
  2. Network Interception: Capturing API responses in real-time
  3. Error Handling: Graceful fallbacks when things go wrong
  4. Validation: Making sure tracking IDs are valid before processing

Real Results

Here’s what a successful tracking response looks like:

json
{
  "states": [
    {
      "location": "Netherlands",
      "date": "2025-08-04T15:04:00Z",
      "status": "International flight has arrived"
    }
  ],
  "origin": "China",
  "destination": "Netherlands",
  "weight": "0.088 kg",
  "carriers": ["Yun Express"],
  "status": "transit"
}

Pretty cool, right?

Lessons Learned

This project taught me some valuable lessons as I was learning:

  1. Security is fascinating: Modern websites use incredibly sophisticated methods to detect bots
  2. Persistence pays off: Sometimes the solution isn’t where you expect it
  3. Real browsers beat fake ones: Instead of trying to fake browser behavior, use a real browser
  4. Stealth plugins are amazing: The puppeteer-extra ecosystem is incredibly powerful
  5. Documentation matters: Good examples and documentation make code much more useful

Technical Implementation

For educational purposes, here’s how the system works:

  1. Install the dependencies:

    bash
    pnpm add puppeteer-extra puppeteer-extra-plugin-stealth
  2. Use the module:

    javascript
    import { trackPackage } from './package-tracker.mjs'
    const result = await trackPackage('YOUR_TRACKING_ID')
  3. Or use it from the command line:

    bash
    node package-tracker.mjs YOUR_TRACKING_ID

The Takeaway

What started as a simple script conversion turned into a deep dive into web security, browser automation, and API reverse engineering. It’s amazing how much you can learn when you follow a problem all the way through!

The final result is a robust, reusable package tracking solution that can handle real-world scenarios. And the best part? It’s all open source and ready for anyone to use!

This whole journey was a fantastic learning experience. I discovered so much about modern web security, browser automation techniques, and the incredible power of the puppeteer ecosystem. What seemed like a simple task turned into an exploration of sophisticated anti-bot systems and how to work with them effectively.

So next time you think “I’ll just make this a simple executable,” be prepared for an adventure! You never know where it might lead.

Happy coding!


P.S. If you’re interested in the technical details, check out the full project on GitHub. The changelog tells the whole story of the debugging adventures!*