 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Anthropic‘s $1.5 million investment in Python security is both self-interested and smart, analysts say, addressing a critical vulnerability in the language that powers AI development everywhere.
The Python Software Foundation (PSF) yesterday announced that AI safety and research company Anthropic is investing $1.5 million into PSF over the next two years.
The investment will support the foundation overall, with a particular focus on Python ecosystem security.
The Python software supply chain has been under attack to the point where the PSF has instituted a security developer-in-residence. This investment will support that.
Anthropic’s funds will enable the PSF to make progress on its security roadmap, including work designed to protect millions of PyPI users from attempted supply chain attacks, the foundation said.
“This investment will enable the PSF to make crucial security advances to CPython and the Python Package Index (PyPI) benefiting all users, and it will also sustain the foundation’s core work supporting the Python language, ecosystem, and global community,” PSF wrote in a blog post.
Holger Mueller, an analyst at Constellation Research, called this a key announcement for the Python ecosystem.
“It is an interesting development to see financial funding into open source from one of the ‘rich’ AI players; the traditional path would have been to provide development resources,” he told The New Stack. “The concern could be that Python [Foundation] becomes a development arm for Anthropic and others — but the future will tell.”
Andrew Cornwall, an analyst at Forrester Research, said this is good news for Python and a smart move by Anthropic.
“Too many organizations expect to use open source without contributing back, and Python is core to AI almost everywhere,” he told The New Stack.
Moreover, Cornwall noted that Anthropic runs a lot of Python code behind the scenes when generating its responses, much of it on client desktops.
“By helping Python to detect rogue PyPI packages automatically, Anthropic reduces the risk of accidentally generating and running nefarious code that can steal end-user keys and passwords, or other tasks users don’t want,” Cornwall said. “It’s not clear what improvements this will drive for CPython, but I suspect some of the funding will make CPython, and hence Claude, run faster and more securely as well.”
“When one of the world’s most important AI companies invests in the community rather than their own projects, that’s a strong sign that Anthropic relies on Python and wants the best Python experience possible for everyone,” said Steve Croce, field CTO of Anaconda, which is considered the gold standard for Python, data science and AI. “AI would not be possible without the years of growth and investment in the Python ecosystem, so it’s amazing to see someone like Anthropic give back.”
However, Croce added, “Don’t expect an immediate change.”
According to the PSF, planned projects include creating new tools for automated proactive review of all packages uploaded to PyPI, improving on the current process of reactive-only review.
“We intend to create a new dataset of known malware that will allow us to design these novel tools, relying on capability analysis,” PSF said in its post. “One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories. As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem.”
In addition, the Anthropic investment will go toward the PSF’s core work, including the Developer-in-Residence program, driving contributions to CPython, community support through grants and other programs, running core infrastructure such as PyPI, and more, the foundation said.
“This work will build on PSF Security Developer-in-Residence Seth Larson’s security roadmap with contributions from PyPI Safety and Security Engineer Mike Fiedler, both roles generously funded by Alpha-Omega,” the PSF post said.
Meanwhile, Janet Costello Worthington, a security analyst at Forrester, said Anthropic’s investment in Python’s ecosystem is crucial for enhancing software supply chain security amid a rising number of malicious packages.
“These advancements could benefit other ecosystems, such as JavaScript’s npm, which recently faced significant compromises, such as the Shai-Hulud worm, which infected more than 500 npm packages, highlighting the need for stronger, widespread defenses,” Worthington said. “In addition, Anthropic’s announcement will bring awareness to the developer community on the importance of security and encourage other enterprises to invest in the open source software projects they rely on.”
Meanwhile, Anthropic’s investment is a clear signal that foundational model makers recognize Python’s deep entrenchment in the AI/machine learning (ML) ecosystem, Brad Shimmin, an analyst at The Futurum Group, said.
“Python is not just about booting up scikit-learn and building simple neural networks to recognize letters,” he told The New Stack. “Far from it. Python, with its innate performance — many core libraries actually execute as C code — and extremely rich ecosystem, it’s perfectly positioned to be the do-it-all language for modern, agentic AI in the enterprise.”
Yet, Shimmin emphasized that while other languages like Java, Go and Rust are gaining traction with backend agentic tooling, Python’s massive library ecosystem, community support and sheer familiarity across a wide swath of user roles mean it will likely remain the default choice for experimentation and many production workloads.
“This funding just reinforces that Python isn’t going anywhere as the lingua franca of AI development, especially as the tooling landscape continues to diversify,” Shimmin said.
Meanwhile, the threat model for AI is very different than traditional software, Croce said.
“As the language of AI, we need Python to get ahead of those challenges and be the most effective in managing new threats,” he told The New Stack. “Expanding our community and the PSF’s resources will enable the Python community to address those challenges.”
