Anthropic invests $1.5 million in the Python Software Foundation and open source security

We are thrilled to announce that Anthropic has entered into a two-year partnership with the Python Software Foundation (PSF) to contribute a landmark total of $1.5 million to support the foundation’s work, with an emphasis on Python ecosystem security. This investment will enable the PSF to make crucial security advances to CPython and the Python Package Index (PyPI) benefiting all users, and it will also sustain the foundation’s core work supporting the Python language, ecosystem, and global community.

Innovating open source security

Anthropic’s funds will enable the PSF to make progress on our security roadmap, including work designed to protect millions of PyPI users from attempted supply-chain attacks. Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPI, improving on the current process of reactive-only review. We intend to create a new dataset of known malware that will allow us to design these novel tools, relying on capability analysis. One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories. As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem.

This work will build on PSF Security Developer in Residence Seth Larson’s security roadmap with contributions from PyPI Safety and Security Engineer Mike Fiedler, both roles generously funded by Alpha-Omega. 

Sustaining the Python language, ecosystem, and community

Anthropic’s support will also go towards the PSF’s core work, including the Developer in Residence program driving contributions to CPython, community support through grants and other programs, running core infrastructure such as PyPI, and more. We couldn’t be more grateful for Anthropic’s remarkable support, and we hope you will join us in thanking them for their investment in the PSF and the Python community.

About Anthropic

Anthropic is the AI research and development company behind Claude — the frontier model used by millions of people worldwide.

About the PSF

The Python Software Foundation is a non-profit whose mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. The PSF supports the Python community using corporate sponsorships, grants, and donations. Are you interested in sponsoring or donating to the PSF so we can continue supporting Python and its community? Check out our sponsorship program, donate directly here, or contact our team!

Sovereign Tech Agency and PSF Security Partnership

We are thrilled to announce that the Sovereign Tech Agency has committed to a €86,000 investment in work to be performed by the Python Software Foundation to improve the security of CPython and the Python Package Index (PyPI). The Sovereign Tech Agency is a public organization in Germany that focuses on increasing the security and resilience of critical open source software that forms the foundation of modern digital technology.

With the Sovereign Tech Fund, they invest globally in open software components that underpin economic competitiveness and the ability to innovate. Improving the security, stability, and reusability of open software components like CPython and PyPI is a win for everyone. This  project consists of two components, which we are carrying out in parallel: one focused on CPython and one focused on PyPI. 

The CPython component, led by PSF Security Developer in Residence Seth Larson, concerns archive-handling vulnerabilities in CPython’s standard library. Following multiple CVEs affecting the tarfile and zipfile modules, systematic fuzz-testing is required to uncover potential regressions or untested cases in extraction filtering. These modules are used by most Python packaging and installation tools, and therefore form a critical part of the software supply chain. The work commissioned through the Sovereign Tech Fund’s investment will develop test cases and seed corpora for these modules, integrate fuzz-testing through the OSS-Fuzz infrastructure, and validate filtering protections against potential bypasses.

The PyPI component, led by PSF PyPI Safety and Security Engineer Mike Fiedler with support from Director of Infrastructure Ee Durbin, focuses on PyPI account integrity and recovery. Current recovery procedures rely solely on email and two-factor authentication, creating support burdens and limiting automated verification. The Sovereign Tech Fund’s investment commissions work that introduces a mechanism for associating PyPI accounts with verified third-party identities through OAuth 2.0 / OIDC flows, allowing account recovery through trusted external services. These associations will improve both user experience and platform reliability while preserving user privacy and autonomy.

We appreciate the Sovereign Tech Fund for supporting these critical improvements that will make CPython and PyPI more secure for millions of users. If you’d like to learn more about the advances our Developers in Residence are driving or investing in these roles and work, check out our Developers in Residence page and reach out out to [email protected]