GMO Flatt Security's 'Takumi byGMO Guard' Exceeds 20 Million Package Downloads Per Day

GMO Flatt Security Inc. (President and CEO: Yasutaka Ide, hereinafter 'GMO Flatt Security'), a company operating cybersecurity-related businesses for product development organizations under the mission of 'having engineers' backs' within the GMO Internet Group, announced that the 'Guard' function of its security AI agent 'Takumi byGMO' (hereinafter 'Takumi'), which launched in March 2026, recorded over 20 million package downloads per day on May 19. After reaching 10 million in early April, the number has doubled in just about a month, indicating that the 'Guard' function is rapidly being adopted as a new foundation for 'border control' at development sites.

What is the 'Guard' Function: Blocking Malicious Packages Before Installation

The 'Guard' function acts as a proxy intervening between package registries and engineers' development environments. It verifies the presence of malicious content in real-time when a package is downloaded. Packages determined to be malicious are automatically blocked before reaching developers' terminals or CI/CD environments. Implementation is completed simply by executing a single command line in the terminal, requiring no changes to existing code or operational procedures.

Most SBOM management tools rely on mechanisms that post-scan already installed packages, meaning they could not prevent the actual intrusion of malware. However, in the 'axios' compromise incident that occurred in March, even though the malicious version was published on npm for only about 3 hours, development environments that performed normal installation operations during that short window suffered widespread damage. Because the 'Guard' function intervenes at the time of installation, it prevents the intrusion of such malicious packages proactively.

Currently, it supports npm as well as PyPI and RubyGems, enabling cross-ecosystem defense across major package ecosystems, and is available for free to anyone, whether individual or corporate. Additionally, a batch setup feature using a management tool (paid) is provided for corporate clients considering bulk implementation across organizational devices.

Background of Surging Adoption: Heightened Crisis Awareness Due to Successive Software Supply Chain Attacks

The rapid adoption of the 'Guard' function is believed to be heavily related to the software supply chain attacks that occurred in quick succession in 2026.

At the end of March 2026, 'axios', an HTTP client library with 100 million weekly downloads, was compromised, causing widespread impact including on indirect dependencies. The breach originated from a social engineering attack on a single maintainer, becoming a sensational case where the compromise of a single prominent package posed risks to systems worldwide.

Furthermore, the proliferation of coding agents is amplifying the risk of cyberattacks. A 'structural problem' has emerged where AI can autonomously install packages without bearing responsibility, ultimately shifting the burden to the human side that must verify safety. Particularly with the popularization of 'vibe coding'—where development proceeds solely through instructions to AI without users writing code themselves—there is an increasing number of cases where users without development experience accept AI proposals as is, inadvertently relying on packages with insufficient safety verification.

In response to these successive breaches, awareness of countermeasures against software supply chain attacks in development environments has risen. The daily download count for the 'Guard' function consistently exceeded 10 million since early April 2026, reaching over 20 million by May 19.

Attacks on the software supply chain are expected to continue becoming more sophisticated and persistent, making 'border control' defenses essential moving forward. Driven by this crisis awareness, the adoption of 'Takumi' features, including the 'Guard' function, is expanding, primarily among security-conscious development organizations.