Chainguard Libraries for Python isn’t just another repository; it’s an index of Python dependencies engineered to be resistant to malware. The secret sauce? Building every single one securely from its original source code within a robust SLSA L2 compliant infrastructure.
The promise is straightforward: a newfound confidence that malicious code hasn’t been sneakily injected during the often-opaque build and distribution process of the libraries that underpin so much of today’s Python development.
By taking on the hefty task of securely constructing each library and all its interconnected dependencies from the ground up, Chainguard is directly addressing what many see as a gaping hole in our current digital defences.
To get the ball rolling, Chainguard has processed nearly 10,000 of the most frequently used Python projects as it aims to become the go-to safe haven for open-source components.
More than half of the globe’s developers now lean on Python, which has established itself as the cornerstone of AI and machine learning applications. However, this meteoric rise in popularity has painted a giant target on the Python ecosystem—attracting an increasing frequency and severity of supply chain attacks.
Notable malware incidents that have compromised popular Python packages – such as Ultralytics and PyTorch TorchTriton – have served as a stark wake-up call, exposing the vulnerabilities inherent in relying on traditional channels like the Python Package Index (PyPI) for sourcing libraries.
The uncomfortable truth is that these public registries often perform only minimal checks on the software they host and don’t offer any solid guarantee that the library you download is an exact, untampered match of its original source code. This leaves businesses wide open to sophisticated supply chain attacks.
Adding another layer of complexity, Python libraries themselves can be susceptible due to a common practice. Many projects don’t just contain pure Python code. Project maintainers often rebundle shared system libraries directly into their Python offerings to ensure consistent behaviour across different setups.
While this is often done with the best intentions, this rebundling of OS dependencies into Python libraries can effectively hide these components from standard security scanners. The upshot? Any vulnerabilities they introduce into production environments can slip by unnoticed, posing a serious and often unseen risk to enterprise security.
With the launch of Chainguard Libraries for Python, the company is delivering a potent dose of malware protection for what it describes as one of the most critical – and critically vulnerable – parts of the software supply chain: those language dependencies developers rely on daily.
Until this point, application security teams have often found themselves stuck between a rock and a hard place, lacking a comprehensive way to fight malware without throwing a spanner in their developers’ workflows and slowing down productivity. This vulnerability left organisations exposed to the myriad dangers of malicious code, which could do anything from sapping resources and pilfering application secrets to crippling production systems or, in a worst-case scenario, leaking sensitive customer data.
Chainguard’s Python Libraries are designed to slot neatly into existing artifact managers, giving security teams the power to plug this massive security hole while letting developers get on with their jobs.
Kim Lewandowski, Co-Founder and Chief Product Officer at Chainguard, said: “Chainguard is rebuilding every component for a given library — Python, Java, or otherwise — from source so organisations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities.
“We’re providing a secure, trusted source of Python libraries that allows enterprises to remove friction and add security without asking developers to change how they build and deploy software.”
This latest Python-focused initiative follows Chainguard’s recent introduction of Chainguard Libraries for Java, signalling a clear and consistent strategy to secure the foundational building blocks of open-source software across different programming languages.
The fundamental approach is the same: Chainguard is reconstructing every single dependency for every Python library, directly from its source. This method thwarts malware injection at key weak points in the open-source supply chain, such as compromised build systems, vulnerable release pipelines, and insecure distribution channels.
By isolating and rebuilding the shared system dependencies that many Python libraries need to function, Chainguard is setting out to neutralise another hidden attack vector that often stems from these bundled software bits and pieces.
Joe Christian, Senior Engineering Manager, Application Security at Paylocity, commented: “At Paylocity, application security is core to the modern HR, payroll and spend management software we’re building.
“Chainguard already helps us reduce our attack surface while giving our teams confidence in what they’re shipping. We see promise in Chainguard Libraries for Python to ensure developers can build securely from the very first line of code.”
Carsten Skov, Senior DevOps Engineer at MAN Energy Solutions, added: “As a global provider of large-scale industrial machinery and energy solutions, software supply chain security is a top priority.
“Chainguard Containers have already helped us ensure that our containerised analytics workloads are built and run securely by default. Now, we’re excited about the potential of Chainguard Libraries for Python to further strengthen our software supply chain by mitigating the risks posed by unverified dependencies and malware in the Python ecosystem.”
The arrival of Chainguard Libraries for Python is a welcome move towards tightening the security of a programming language that has become globally indispensable. It offers a tangible, practical solution to the increasingly thorny and ever-present challenge of software supply chain security.
(Photo by Kasia Misiukanis-Kelińska)
See also: Node.js 24: A faster, sleeker JavaScript experience
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
