# Intelligence {#intelligence}

The Takumi Guard blocklist is maintained by a threat analysis platform built and operated by the GMO Flatt Security research team. This page explains how threat intelligence is collected and how blocking decisions are made.

## Analysis Pipeline {#analysis-pipeline}

The blocklist is built through the following pipeline:

```mermaid
flowchart LR
    A["Registry change feed"] --> B["Package fetch"]
    B --> C["Automated analysis"]
    C --> D{"Verdict"}
    D -->|Malicious| E["Add to blocklist"]
    D -->|Safe| F["Skip"]
```

### 1. New Package Monitoring {#monitoring}

The npm registry provides a change feed via the [Replicate API](https://github.com/npm/registry/blob/main/docs/REPLICATE-API.md) that streams package publications and updates in real time. This feed is continuously monitored, ensuring packages are analyzed shortly after publication.

### 2. Automated Analysis {#automated-analysis}

Fetched packages are run through an automated analysis pipeline built by the research team. Multiple techniques are combined to determine malicious intent, including inspection of install scripts, detection of obfuscated code, matching against known malware patterns, and execution in a sandbox environment to detect suspicious behavior.

### 3. Verdict and Blocklist Update {#verdict}

Based on analysis results, packages are classified into the following categories:

- **Malware**: Packages that perform malicious actions during installation or execution
- **Typosquatting**: Packages with names similar to popular packages that distribute malicious code
- **Compromised packages**: Legitimate packages with versions containing injected malicious code due to account takeover

The blocklist is updated continuously and propagated to all Takumi Guard instances.

## Compared to Public Advisories {#vs-public-advisories}

Public advisory databases (such as the GitHub Advisory Database) have a time lag between reporting/confirmation and publication. Takumi Guard's intelligence platform performs real-time analysis from registry change feeds, enabling detection of **zero-day malicious packages** before they appear in public advisories.

## Coverage {#coverage}

For the ecosystems where Takumi Guard is available, we have built and operate intelligence platforms like the one described above.