Despite the rosy picture of Python security in 2025, the reality behind that picture is alarming. New vulnerabilities are continually being exposed that endanger both developers and organizations. At the same time, malicious packages are appearing on PyPI at an alarming rate. For air traffic control now, more than ever before, applying robust security measures is vitally important. The Sigstore and Supply Chain Levels for Software Artifacts (SLSA) projects represent cutting-edge efforts in scanning and signing to combat these threats.
Recent analyses reveal that the Python ecosystem is in dire straits, as many developers rely on a “pip install and pray” approach, which lacks adequate safeguards against potential exploits. As of today, there are eight critical vulnerabilities and 115 other high vulnerabilities across several other contexts. Lighting the Flame, a major supply chain attack in December 2024 that hit the Ultralytics YOLO Python package. This incident glaringly illustrated the deep-rooted insecurity throughout the system. These types of events highlight the critical need for stronger security measures.
As the Council of Europe recognizes, the Common Vulnerabilities and Exposures (CVE) system is essential to addressing these vulnerabilities. More importantly, it is a core principle of supply chain basics. Unfortunately, the official Python container image has been scanned and shown to have hundreds of known vulnerabilities, unintentionally putting thousands of organizations at risk. Even the infrastructure developers are accustomed to using, in order to run Python safely in production environments, is just as badly compromised, requiring swift action on developers’ parts.
Chainguard has come in to provide solutions purpose-built to protect Python workloads at scale. Chainguard Containers and Chainguard Libraries are two of its marquee products. Both solutions are aimed at bringing full production-grade protection for Python applications. These solutions are being touted as accelerators for both large and small organizations on their way to achieving a secure posture for their Python supply chain.
To equip developers with the necessary tools and knowledge, a webinar has been scheduled to discuss practical ways to secure Python workloads in 2025. This event will explore the fundamentals of supply chains that are necessary to understand. We’ll discuss ways to avoid risks associated with these and other threats.
