Chainguard Reinvents Python Dependency Security With Source-Built Libraries

In the escalating war over software supply chain security, Chainguard just opened a new front—one aimed squarely at Python, the most popular programming language on the planet and a perennial target for cyberattacks.

Today, the company unveiled Chainguard Libraries for Python, an ambitious new project that rebuilds nearly 10,000 of the most widely used Python libraries from source, using SLSA Level 2-compliant infrastructure. The goal? To offer developers and security teams a malware-resistant alternative to the vulnerable packages found in public registries like PyPI.

Python’s Popularity Comes With a Price

Python’s rise to dominance—driven by everything from AI development to scientific computing—has made it an increasingly attractive target for attackers. Supply chain threats now frequently leverage infected Python packages, sneaking malicious code into open-source libraries that developers unknowingly pull into production.

Recent breaches involving packages like Ultralytics and TorchTriton exposed how easily attackers can compromise the ecosystem via unverified uploads. Unlike source-built libraries, most packages on public registries are opaque blobs: difficult to inspect, impossible to verify, and often bundled with hidden system-level dependencies that evade traditional security scanners.

Chainguard’s approach is to flip the model entirely. Instead of trusting what’s uploaded to the public web, its team rebuilds every package—and every dependency—from scratch, ensuring end-to-end traceability and eliminating the guesswork.

Beyond the Registry

This isn't Chainguard's first foray into this space. The new Python libraries follow the company's recent launch of Chainguard Libraries for Java, part of its broader vision to become the safe source for open source across all layers of the modern development stack.

“Chainguard is rebuilding every component for a given library — Python, Java, or otherwise — from source so organizations can mitigate malware, have clear visibility into what exactly is in their software, and eliminate the risk of hidden supply chain vulnerabilities,” said Lewandowski.

By reconstructing even the system libraries that are often bundled with Python packages—an overlooked but critical threat vector—Chainguard gives security teams the ability to see what’s actually running in their environments and ensure those components are built cleanly and securely.

Early Adopters Back the Vision

Companies already using Chainguard’s hardened container images are now eyeing this new Python offering as a logical extension. Among them is Paylocity, whose software handles sensitive HR and payroll data.

Similarly, MAN Energy Solutions, a global provider of industrial energy systems, sees Chainguard’s approach as critical for meeting compliance standards and cyber safety certification requirements.

The Path Forward

For now, Chainguard’s Python library index includes nearly 10,000 projects, with plans to expand rapidly. The libraries can be plugged into existing artifact managers, making them an easy swap for security teams looking to replace insecure defaults without disrupting developers’ workflows.

If successful, Chainguard’s strategy could redefine how enterprises consume open source—not by building walled gardens, but by offering clean, verified ecosystems where trust is earned at every step of the build pipeline.

In a world where open source has become the software industry’s beating heart, Chainguard wants to make sure that heart isn’t quietly bleeding out malware.