# Takumi Guard for npm Released **Takumi Guard** is an npm registry proxy that strengthens supply chain security. Add a single registry URL to your `.npmrc` and **malicious package blocking** plus **post-install tracking and breach notifications** are enabled automatically. ![Takumi Guard for npm Released](/docs/_md-assets/82d6930883-eyecatch.png) ## Background The number of malware specimens in the npm ecosystem is increasing year over year. Attack techniques are also diversifying, from typosquatting to code injection into legitimate packages via account takeover. Furthermore, AI agents are increasingly selecting and installing packages autonomously as part of development assistance. As packages are introduced without human review, the risk of malicious packages slipping through is higher than ever. Takumi Guard addresses this by providing a mechanism to verify package safety at the registry level. ## One-Line Change Add the registry URL to your project's `.npmrc`, and all subsequent `npm install` commands will route through Takumi Guard. ```ini registry=https://npm.flatt.tech/ ``` No account required. Blocklist checking applies immediately to every package request. Works with npm, pnpm, and yarn — no lockfile migration needed. ## Features ### Malicious Package Blocking Takumi Guard operates as a proxy between your development environment and the public npm registry. On every `npm install`, each package is checked against the blocklist, and known malicious packages — malware, typosquatting, compromised packages — are blocked before the tarball is downloaded. ```mermaid sequenceDiagram participant Client as npm Client participant Guard as Takumi Guard participant NPM as Public npm Registry Client->>Guard: npm install Guard->>Guard: Check blocklist rect rgba(220, 38, 38, 0.08) Note right of Guard: If malicious Guard--xClient: 403 Blocked end rect rgba(34, 197, 94, 0.08) Note right of Guard: If safe Guard-->>Client: 302 Redirect Client->>NPM: Download tarball end ``` The blocklist is maintained by an automated analysis pipeline built and operated by the GMO Flatt Security research team. The npm registry provides a change feed ([Replicate API](https://github.com/npm/registry/blob/main/docs/REPLICATE-API.md)) that streams package publications and updates in real time. This feed is continuously monitored to fetch newly published packages immediately, which then go through static and dynamic analysis to determine whether they are malicious. This enables detection of zero-day malicious packages before they appear in public advisories. See [Intelligence](/docs/t/guard/architecture/intelligence) for details. ### Post-Install Tracking and Breach Notifications Register your email address to enable download tracking and breach notifications. If a security advisory is published for a package you previously downloaded, you receive a notification email containing the package name and version, download timestamp, reason for flagging, and recommended remediation steps. This covers the scenario where a package was safe at install time but was later found to be malicious. ## Getting Started See the user guide for detailed setup instructions. ▼ User Guide: [Takumi Guard](/docs/t/guard)