Takumi Guard PyPI Support Released

March 24, 2026 · 2 min read

Software Engineer @ GMO Flatt Security Inc.

Takumi Guard now supports PyPI alongside npm.

Python projects using pip, uv, or poetry can now route installs through Takumi Guard to block known-malicious packages before they reach your CI or development environment.

Overview

Takumi Guard is a security proxy that sits between your package manager and the upstream registry. It checks every install request against a real-time threat database and blocks known-malicious packages.

With this release, the same protection that npm users have is now available for the Python ecosystem:

Package Blocking: Malicious PyPI packages are blocked before any code executes
Download Tracking: Records install history for authenticated users
Breach Notifications: Get notified if a package you installed is later flagged as malicious
Version-Level Blocking: Block specific compromised versions while allowing safe versions through

Getting Started

pip / uv

Add the following to your shell profile (.bashrc, .zshrc, etc.) to permanently route all pip and uv commands through Takumi Guard:

export PIP_INDEX_URL=https://pypi.flatt.tech/simple/

Or configure in pip.conf (~/.config/pip/pip.conf on Linux/macOS, %APPDATA%\pip\pip.ini on Windows):

[global]
index-url = https://pypi.flatt.tech/simple/

For a one-time install without changing your environment:

pip install --index-url https://pypi.flatt.tech/simple/ <package>

poetry

Add Takumi Guard as the primary source:

poetry source add --priority=primary takumi-guard https://pypi.flatt.tech/simple/

GitHub Actions

Add one line to your workflow:

steps:
  - uses: actions/checkout@v4
  - uses: flatt-security/setup-takumi-guard-pypi@v1
  - run: pip install -r requirements.txt

For full setup options including authentication and breach notifications, see the PyPI quickstart guide.

Email Registration (Breach Notifications)

Register your email to receive notifications if a package you installed is later found to be malicious. No account required, free of charge.

Step 1: Register your email

curl -X POST https://pypi.flatt.tech/api/v1/tokens \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com"}'

Step 2: Click the verification link in the email. You will see a page with your API key and setup instructions.

Step 3: Configure pip with your token

export PIP_INDEX_URL=https://token:tg_anon_xxxxxx@pypi.flatt.tech/simple/

Your installs are now tracked, and you will be notified if a downloaded package is later flagged.

Supported Package Managers

Package Manager	Supported
pip	Yes
uv	Yes
poetry	Yes
npm	Yes (existing)
pnpm	Yes (existing)
yarn	Yes (existing)

Overview​

Getting Started​

pip / uv​

poetry​

GitHub Actions​

Email Registration (Breach Notifications)​

Supported Package Managers​