A North Korea-linked supply chain attack exposed OpenAI's macOS app signing certificate as the EU moves to extend Digital Services Act oversight to ChatGPT.
🔐 North Korean Threat Actors Breached OpenAI's macOS App Signing Certificate
Decoded: On April 12, OpenAI disclosed that a GitHub Actions workflow used in its macOS app-signing process executed a malicious version of the Axios JavaScript library (version 1.14.1) on March 31, 2026. The attack — part of a broader supply chain compromise attributed to North Korean threat actors by Google Cloud's threat intelligence team — gave hackers potential access to the certificate used to authenticate ChatGPT Desktop, Codex, Codex-cli, and Atlas as legitimate OpenAI applications. OpenAI concluded the certificate was likely not exfiltrated due to the timing and sequencing of the attack, but is treating it as compromised: the certificate is being revoked and rotated. Effective May 8, 2026, older macOS versions of all OpenAI apps will no longer function. OpenAI confirmed no user data was accessed and no internal systems or intellectual property were compromised. (OpenAI official press release, Google Cloud threat intelligence blog, The Verge, April 12, 2026)
Why it matters: The Axios attack is the third supply-chain compromise targeting AI developer tooling within two weeks — following the LiteLLM breach that exposed training data at OpenAI, Anthropic, and Meta on March 31 via contractor Mercor. North Korean state actors are systematically targeting open-source libraries embedded in AI company workflows: Axios is installed on over 100 million npm projects globally, making it a high-leverage attack surface. The app-signing certificate is a trust anchor — successful exfiltration would enable distribution of counterfeit OpenAI apps indistinguishable from legitimate software to hundreds of millions of users. OpenAI's forced update requirement by May 8 signals it is responding at the infrastructure trust level, not just patching a single vulnerability.
🏛️ EU Weighs Classifying ChatGPT as a Very Large Online Platform Under the Digital Services Act
Decoded: The European Commission is weighing whether to designate OpenAI's ChatGPT as a "Very Large Online Platform" (VLOP) under the EU's Digital Services Act, Reuters reported April 10. VLOP status applies to platforms exceeding 45 million monthly active users in the EU — a threshold ChatGPT surpassed in 2024. Under the DSA, VLOPs face mandatory algorithmic transparency requirements, systematic risk assessments for societal harms, independent audits, data access obligations for researchers, and enhanced regulatory oversight by national EU authorities. OpenAI would join Meta, Google, TikTok, and Amazon as VLOP-designated platforms subject to the EU's most stringent digital regulation framework. (Reuters, April 10, 2026)
Why it matters: VLOP designation converts ChatGPT from a consumer AI product into a regulated information infrastructure operator with standing compliance obligations — audits, government data access, and ongoing risk assessment requirements. For OpenAI, the timing matters: the company closed a $122 billion funding round on March 31 at an $852 billion valuation and is on a path to a public offering. VLOP status introduces a recurring compliance cost and enforcement risk that public market investors will need to price. The competitive asymmetry is also significant: Anthropic's Claude and Google's Gemini are not currently under consideration for VLOP designation at equivalent scale, meaning the EU regulatory burden would apply to ChatGPT's primary market without hitting its direct competitors.
Stay decoded. See you tomorrow.
— The Get AI Decoded Team
Enjoyed this article?
Subscribe free — AI news decoded for investors, every morning.
No spam. Unsubscribe anytime. Privacy Policy