The Signal — April 11, 2026

Following up on our April 5 coverage of the npm supply chain attack that hit the Axios library: OpenAI just disclosed they were one of the victims. A North Korea-linked group (UNC1069) compromised a GitHub Actions workflow in OpenAI's macOS app-signing process through the poisoned Axios package. The root cause was a floating tag reference instead of a pinned commit hash — one lazy shortcut in a CI config, and a nation-state actor was inside the build pipeline.

OpenAI says no user data was compromised, but they're rotating all macOS code-signing certificates and requiring every macOS user to update by May 8. Apple is blocking notarization with the old certificates after that date. An external forensics firm is still picking through the wreckage. The method matters here: UNC1069 used deepfake video calls and a fabricated collaboration workspace to trick the Axios maintainer into running malware, then used the stolen credentials to publish poisoned packages. This is the supply chain attack pattern we flagged last week, and it's now confirmed to have reached one of the biggest AI companies on the planet.

Sources: OpenAI disclosure

Anthropic is exploring designing its own AI chips, according to a Reuters exclusive. The keyword is "exploring." There's no team yet and no timeline. But with a $30 billion annual run rate (tripled since end-2025), the economics of a custom silicon program start making sense. Designing a chip from scratch runs around $500 million, which is real money but not existential at that revenue scale.

Right now Anthropic runs on Google TPUs and Amazon's custom chips, and they just signed a long-term deal with Google and Broadcom. None of this is about replacing existing partners tomorrow; it's about having options when your compute bill is your biggest single expense. Meta and OpenAI are both pursuing custom chips too. Every major AI lab is looking at their dependency on a handful of chip suppliers and coming to the same conclusion: relying entirely on someone else's silicon is a vulnerability you eventually have to address.

Sources: Reuters, ResultSense

OpenAI sent a memo to shareholders that reads less like an investor update and more like opposition research on Anthropic. Per CNBC, the memo claims OpenAI will have access to 30 GW of compute power by 2030, versus Anthropic's "deliberately conservative" 7-8 GW target by 2027. The framing is unsubtle: Anthropic is described as "operating on a meaningfully smaller curve."

This is pre-IPO positioning. OpenAI needs to convince investors that its compute ambitions justify the valuation, and the easiest way to do that is to paint the closest competitor as thinking too small. The irony is that journalist Alex Kantrowitz's read of the situation is almost the opposite: "OpenAI is chasing Anthropic right now." Both companies are collectively valued north of a trillion dollars, and the memo's defensive tone suggests OpenAI knows the gap is closer than it wants shareholders to believe. When you're winning comfortably, you don't write memos about the other guy.

Sources: CNBC

On the Editor's Desk

Cut today: Big Tech's nuclear power push. Meta, Amazon, and Google are pouring money into small modular reactor companies like TerraPower, Oklo, X-energy, and Kairos Power. It's a genuinely important story about how tech balance sheets are de-risking nuclear in ways government funding never could. But it's a slow-burn infrastructure story competing against three fast-moving industry stories, and the nuclear beat deserves a longer treatment than 200 words in a roundup. We'll come back to it.