Hi folks,

This week’s lead story looks at NHS England moving hundreds of public GitHub repositories behind closed doors, amid growing concern that AI systems capable of analysing codebases at scale are changing the security calculus around open source.

Elsewhere, China’s open-model boom continues with another massive funding round, AWS and Cisco unveil new infrastructure for securing AI agents and model supply chains, and a fresh wave of startups and investors pile into the tooling, inference, and orchestration layers forming around open AI systems.

As usual, feel free to reach out to me with any questions, tips, corrections, or suggestions: forkable[at]pm.me.

Paul

<Open issue>

NHS locks down public code

AI-driven vulnerability discovery is starting to reshape how public institutions think about open source.

England’s National Health Service (NHS), one of the world’s largest public healthcare systems and among the biggest employers globally, has instructed teams to make hundreds of public GitHub repositories private by May 11, amid growing concern that modern AI systems can analyse open codebases for weaknesses at scale.

According to internal guidance seen by The Register, the move is tied directly to advances in AI-assisted security research, including Anthropic’s Mythos project, which recently demonstrated how frontier models can identify vulnerabilities in widely used software that had survived years of human review.

Notably, NHS isn’t responding to a known breach. Instead, it appears to be reacting to a broader concern: that the economics of vulnerability discovery have changed. Systems capable of ingesting and reasoning over large codebases may make it significantly easier — and cheaper — to identify weaknesses in publicly accessible software and infrastructure. By way of example, Anthropic said that Mythos had found a flaw in OpenBSD, a security-focused operating system, dating back 27 years.

The repositories affected reportedly include a broad mix of projects, from software tools and scripts to documentation and architecture resources. Many were public because NHS England, like other parts of the UK public sector, had increasingly embraced open-source principles around transparency, reuse, and reducing duplication across the public sector.

That context makes the move notable. For years, government-backed open-source efforts have operated on the assumption that openness improves software quality and security by allowing more people to inspect, test, and improve code. The NHS decision suggests some organisations are beginning to worry that the same visibility may now also lower the barrier for attackers equipped with increasingly capable AI tools.

The move also lands amid a broader debate unfolding across open source. In recent weeks, companies including Cal.com have argued that AI-assisted vulnerability research is forcing them to rethink how much code they expose publicly.

But the NHS case could be more consequential because it extends beyond startups and into national infrastructure. Open repositories are often used not just for software distribution, but for collaboration between agencies, procurement, and public accountability around taxpayer-funded systems.

For now, NHS says the move is temporary while it reassesses risk and governance around public code. Whether that becomes a lasting policy change may depend on how seriously institutions come to view AI-assisted vulnerability discovery — and whether openness itself is increasingly seen as part of the attack surface.

Read more: The Register

<Patch notes>

Moonshot AI lands $2B as China’s open-model boom grows

Chinese AI lab Moonshot AI has raised $2 billion at a $20 billion valuation, amid surging demand for open-weight AI models. The company’s Kimi models are gaining traction as China continues pushing an increasingly open AI ecosystem.

Read more: TechCrunch

New fund targets open-source science software

A new Open Source for Science Fund has launched to support the open software stack underpinning scientific research.

Read more: Open Source for Science Fund | OS 4 Science

GitHub adds security scanning for MCP agents

GitHub has launched dependency and secret scanning for its MCP server, allowing AI coding agents to catch leaked credentials and vulnerable packages before code is committed.

Read more: The New Stack

Anthropic donates open-source Petri toolkit

Anthropic is donating Petri, its open-source AI alignment and interpretability toolkit, to researchers and nonprofits working on model transparency and safety. Its new home is at Meridian Labs, an AI evaluation nonprofit.

Read more: Anthropic

Cisco launches model provenance toolkit

Cisco has released Model Provenance Kit, an open-source framework for tracking how AI models are built, modified, and distributed — part of a broader push toward traceability in AI supply chains.

Read more: Cisco

RadixArk launches with $100M

New startup RadixArk has launched with $100 million in seed funding to expand SGLang, the fast-growing open-source inference framework for large language models. The company says it wants to “democratize frontier AI infrastructure.”

Read more: Business Wire

CopilotKit raises $27M for app-native AI agents

Open-source AI agent framework CopilotKit has raised $27 million to help developers build app-native agents directly into their own software, rather than relying on standalone chatbots and hosted assistants.

Read more: TechCrunch

DeepInfra raises $107M for open-model inference cloud

DeepInfra has raised $107 million to build dedicated cloud infrastructure for serving open-source AI models, betting demand for inference outside the hyperscalers will continue growing.

Read more: Silicon Angle

<Final commit>

A healthy approach to wearable data…

Open Wearables, an open-source health intelligence platform built by healthtech studio Momentum, has released open-source scoring algorithms for wearable data, starting with sleep and resilience metrics typically locked behind platforms like Whoop and Oura.

The system connects data sources including Strava, Garmin, Apple Health, and Google Health Connect through a unified API, while also providing an AI reasoning layer for analysing trends and health signals. The broader pitch is that health scoring — and increasingly AI interpretation of wearable data — should be transparent and auditable.

Read more: Fitt/Insider