Skip to main content

Takumi Guard for npm Released

· 3 min read
Deividas Turskis
Deividas Turskis
Software Engineer @ GMO Flatt Security Inc.

Takumi Guard is an npm registry proxy that strengthens supply chain security.

Add a single registry URL to your .npmrc and malicious package blocking plus post-install tracking and breach notifications are enabled automatically.

Takumi Guard for npm Released

Background

The number of malware specimens in the npm ecosystem is increasing year over year. Attack techniques are also diversifying, from typosquatting to code injection into legitimate packages via account takeover.

Furthermore, AI agents are increasingly selecting and installing packages autonomously as part of development assistance. As packages are introduced without human review, the risk of malicious packages slipping through is higher than ever.

Takumi Guard addresses this by providing a mechanism to verify package safety at the registry level.

One-Line Change

Add the registry URL to your project's .npmrc, and all subsequent npm install commands will route through Takumi Guard.

registry=https://npm.flatt.tech/

No account required. Blocklist checking applies immediately to every package request. Works with npm, pnpm, and yarn — no lockfile migration needed.

Features

Malicious Package Blocking

Takumi Guard operates as a proxy between your development environment and the public npm registry. On every npm install, each package is checked against the blocklist, and known malicious packages — malware, typosquatting, compromised packages — are blocked before the tarball is downloaded.

The blocklist is maintained by an automated analysis pipeline built and operated by the GMO Flatt Security research team. The npm registry provides a change feed (Replicate API) that streams package publications and updates in real time. This feed is continuously monitored to fetch newly published packages immediately, which then go through static and dynamic analysis to determine whether they are malicious. This enables detection of zero-day malicious packages before they appear in public advisories.

See Intelligence for details.

Post-Install Tracking and Breach Notifications

Register your email address to enable download tracking and breach notifications. If a security advisory is published for a package you previously downloaded, you receive a notification email containing the package name and version, download timestamp, reason for flagging, and recommended remediation steps.

This covers the scenario where a package was safe at install time but was later found to be malicious.

Getting Started

See the user guide for detailed setup instructions.

▼ User Guide: Takumi Guard