diff --git a/client/About.md b/client/About.md
index f6f4126..8dcaae4 100644
--- a/client/About.md
+++ b/client/About.md
@@ -41,6 +41,10 @@ The goal of unpkg is to provide a hassle-free CDN for npm package authors. It's
 
 unpkg is not affiliated with or supported by npm, Inc. in any way. Please do not contact npm for help with unpkg.
 
+### Abuse
+
+unpkg blacklists some packages to prevent abuse. If you find a malicious package on npm, please take a moment to add it to [our blacklist](https://github.com/unpkg/unpkg.com/blob/master/server/package-blacklist.json)!
+
 ### Feedback
 
 If you think this is useful, I'd love to hear from you. Please reach out to [@mjackson](https://twitter.com/mjackson) with any questions/concerns.
diff --git a/server/index.js b/server/index.js
index 1936d6b..9006f9e 100644
--- a/server/index.js
+++ b/server/index.js
@@ -103,7 +103,8 @@ const defaultServerConfig = {
 
   // for the middleware
   registryURL: process.env.REGISTRY_URL || 'https://registry.npmjs.org',
-  autoIndex: !process.env.DISABLE_INDEX
+  autoIndex: !process.env.DISABLE_INDEX,
+  blacklist: require('./package-blacklist').blacklist
 }
 
 const startServer = (serverConfig = {}) => {
diff --git a/server/middleware/index.js b/server/middleware/index.js
index 381de74..83f4c62 100644
--- a/server/middleware/index.js
+++ b/server/middleware/index.js
@@ -73,7 +73,6 @@ const resolveFile = (path, useIndex, callback) => {
  *
  * - registryURL    The URL of the npm registry (defaults to https://registry.npmjs.org)
  * - autoIndex      Automatically generate index HTML pages for directories (defaults to true)
- * - maximumDepth   The maximum recursion depth when generating metadata
  *
  * Supported URL schemes are:
  *
@@ -92,6 +91,7 @@ const createRequestHandler = (options = {}) => {
   const registryURL = options.registryURL || 'https://registry.npmjs.org'
   const autoIndex = options.autoIndex !== false
   const maximumDepth = options.maximumDepth || Number.MAX_VALUE
+  const blacklist = options.blacklist || []
 
   const handleRequest = (req, res) => {
     let url
@@ -107,6 +107,11 @@ const createRequestHandler = (options = {}) => {
     const { pathname, search, query, packageName, version, filename } = url
     const displayName = `${packageName}@${version}`
 
+    const isBlacklisted = blacklist.indexOf(packageName) !== -1
+
+    if (isBlacklisted)
+      return sendText(res, 403, `Package ${packageName} is blacklisted`)
+
     // Step 1: Fetch the package from the registry and store a local copy.
     // Redirect if the URL does not specify an exact version number.
     const fetchPackage = (next) => {