#Japan #Tokyo #GMO Flatt Security #Takumi byGMO #Software Supply Chain

Introduction

In an era where software supply chains are increasingly targeted by cybercriminals, GMO Flatt Security is dedicating its efforts to fortifying these vital ecosystems. Launching on March 3, 2026, the AI agent known as Takumi byGMO will introduce two critical functionalities: Guard, which automatically blocks the installation of malicious software packages, and Runner, which tracks and visualizes the execution status of build and testing environments. This initiative stands as a significant advancement in protecting software developers and organizations from the threats lurking in the software supply chain.

The Takumi AI Agent: A Game Changer

Takumi is an AI agent specifically designed for cybersecurity operations, developed by GMO Flatt Security. Its capabilities include black-box diagnostics (dynamic analysis), white-box diagnostics (static analysis), and automated vulnerability correction. Since its debut in March 2025, it has played a pivotal role in supporting software development organizations in implementing robust security measures continuously.

You can learn more about Takumi by visiting the official website.

Background of Development

The Rise of Malware Targeting Software Engineers

Today's software is primarily developed by integrating publicly available packages, such as open-source libraries, with proprietary source code. This process, known as the software supply chain, often involves hundreds or even thousands of packages. For instance, the npm registry harbors approximately 3.8 million packages, with over 4.5 trillion downloads each year. However, this immense number of packages has led to a surge in malware that exploits weaknesses within the software supply chain.

Recent attacks have drawn attention to this trend, with malware disguised as legitimate packages infiltrating registries, executing malicious code upon installation. The nature of npm allows for the automatic execution of arbitrary programs during package installation, posing a threat that is nearly impossible for developers to catch individually. This situation raises significant concerns, as software developers risk compromising their terminals and CI/CD workflows without even realizing it.

Reports from Sonatype, a US-based security firm, highlight that over 390,000 new malware packages were identified in open-source platforms between October and December 2025, reflecting a staggering 476% increase compared to the previous nine months.

The Shai-Hulud Malware Incident

A notable example of the risks associated with software supply chains is the malware Shai-Hulud, which was confirmed in September and November 2025. This malware infected devices through npm package downloads, stealing authentication credentials for cloud services and allowing its perpetrators to modify legitimate packages by embedding malicious code. This self-replicating worm resulted in over 796 npm packages being compromised, demonstrating how rapidly such threats can evolve.

The Role of AI in Amplifying Risks

The growing use of coding agents has compounded the risk of malware within software supply chains. Although these agents can enhance productivity, they also circumvent the necessary human verification processes traditionally employed to catch malicious code. In response to these increasing threats, GMO Flatt Security has created the Guard and Runner functionalities that alleviate the burden placed on engineers while simultaneously minimizing risks associated with software supply chains.

Introducing the Guard Functionality

Overview

The Guard feature serves as a barrier between engineers and npm registries, verifying the integrity of packages at the moment of download. If a malicious package is detected, the download is automatically blocked, all while implementing this safeguard requires only a single command executed in the terminal, ensuring no disruption to existing workflows.

Functionality Insights

Central to the Guard feature is a proprietary blocklist established and maintained by GMO Flatt Security, which continuously updates through rigorous examinations of all available npm packages. Traditional tools in the software supply chain mainly focus on scanning for known vulnerabilities within utilized packages, which often fail to prevent malware entry effectively. Conversely, Guard detects potential threats during the installation phase, effectively thwarting the execution of malicious code.

Pricing

The Guard functionality is available for both individuals and businesses at no cost for blocking harmful package installations.

For more information, visit the Guard functionality webpage.

Introducing the Runner Functionality

Overview

The Runner feature enhances the transparency of CI/CD environments by documenting the execution workflow and behaviors in isolated virtual environments. Incorporating minimal setup changes, Runner is fully compatible with GitHub Actions, allowing users to leverage their existing automation configurations seamlessly.

Functionality Insights

While organizations typically utilize security software such as EDR on engineers' local machines for malware detection, CI/CD environments often lack adequate management oversight. These environments harbor critical authentication credentials essential for deploying applications, making them prime targets. If compromised, obtaining logs or telemetry data becomes crucial for identifying the scope of the breach and implementing remedial measures. The Runner feature addresses this need by comprehensively recording execution behavior, file access, and external communications.

Pricing

The Runner feature is primarily intended for corporate users. Active users of Takumi will not incur additional fees or changes in plan for the specified usage tier; however, usage that exceeds these limits will incur charges based on the functionality's execution time.

For further details, visit the Runner functionality webpage.

Future Prospects

The Guard functionality plans to expand support beyond npm to include major package registries such as PyPI (Python) and crates.io (Rust). Additionally, updates for the Runner feature will introduce capabilities to block suspicious communications.

At GMO Flatt Security, our corporate mission revolves around empowering engineers. We strive to ensure a secure environment for software developers to focus on their code, safeguarding the software supply chain in this new AI era.

About GMO Flatt Security

GMO Flatt Security is a pioneering security firm based in Japan, dedicated to enhancing cybersecurity across various sectors. By developing security products and offering tailored security support to various enterprises, they aim to contribute to a safer digital landscape, adhering closely to their mission of standing by engineers in their efforts.

For more information about GMO Flatt Security, visit their official website.