In issue #3 of Forkable, we look at Europe’s latest effort to counter the advances of Big Tech — this time, in the form of open source, multilingual large language models.

Elsewhere, Google’s OpenTitan project begins fabrication of its secure “root of trust” chips with Taiwanese semiconductor company Nuvoton. And OpenAI’s Sam Altman says the company may be on the “wrong side of history” regarding open source

If you haven’t subscribed to Forkable already, please do so now — and share far and wide.

Happy weekend (when it comes).

Paul

Open issue

Europe wants its own “open” large language models

A consortium of nearly two-dozen companies, universities and research organizations, and high-performance computing centers have joined forces to create a series of multilingual large language models (LLMs), with open source and transparency at their core.

With a budget of €37 million ($38 million), OpenEuroLLM combines funding from the European Commission (EC) and the partner organizations, though in reality the project will have more resources at its disposal via related initiatives from across the EU, plus compute provided by EuroHPC centers — which are supercomputing resources designed for scientific research, AI, national security, and industrial applications.

The project’s co-leads are Jan Hajič, a Czech computational linguist from the Charles University in Prague; and Peter Sarlin, CEO and co-founder of Finnish AI lab Silo AI, which AMD acquired last year for $665 million.

While the project’s budget is a drop in the ocean compared to what others in Big Tech have been plowing into AI, DeepSeek’s reported efficiency gains might give OpenEuroLLM hope that it won’t need to invest billions of euros. Plus, it’s worth noting that the project is purely about developing models, rather than end-user applications. On top of that, if it can garner free (or cheap) compute from the EuroHPC centers, that will take care of a lot of the expenses.

Hajič said that he expects the first version(s) to be released by mid-2026, with the final iteration arriving at the end of what is a three-year project (so, 2028).

The rundown

Open… silicon!

Way back in 2019, Google launched an open source, secure chip design project dubbed OpenTitan, with the promise of transparent reference design and integration guidelines for silicon “root of trust” (RoT) chips. It’s basically dedicated hardware security that manufacturers embed in their devices’ silicon, providing confidence that the chip is tamper-proof.

Both Apple and Google have previously developed their own proprietary RoT chips, but with OpenTitan, Google wants to create an open industry standard that’s adopted by everyone from laptop and phonemakers, to datacenters and beyond. And it has now reached a notable milestone in those plans, kicking off fabrication of the first production-grade OpenTitan silicon with Taiwanese semiconductor company Nuvoton (which previously developed chips for Google’s Chromebooks).

Google said that it has samples available for lab testing and evaluation by the broader community, while Nuvoton will make larger volumes available for industry later this Spring. Google also says that its own Chromebooks will use the new chips when they ship later this year, and they will make their way into its datacenters “shortly after.”

OpenTitan is hosted by LowRISC CIC, a Cambridge, U.K.-based not-for-profit engineering company that creates commercial-grade open source silicon designs. And a quick peek at OpenTitan project partners, including the likes of Seagate, Western Digital, and ETH Zurich — hints at where else these chips may end up in the future.

OpenAI on the “wrong side of history” regarding open source

Everyone knows the story of how OpenAI once embraced open source AI, only to retreat as its models became more advanced. Well, CEO Sam Altman now says that OpenAI could be “on the wrong side of history” with some of the open source decisions it has made, as per a report in TechCrunch.

With DeepSeek pushing the boundaries of what AI models can do with fewer resources, all the while adhering to a more “open” ethos, this could force OpenAI to rethink its approach to open source in the future — thought the company stopped short of saying it will open source everything. The company’s chief product officer, Kevin Weil, did say that it may open source older models, that are no longer state-of-the-art.

Backdoor access

North Korea's Lazarus Group cloned several open source projects, planted backdoors, and fooled hundreds of developers (mostly in the cryptocurrency space) into installing the malicious forks.

As per a report by The Register, citing research by SecurityScorecard, the cybercriminals targeted some 181 developers across Europe in November, followed by more than 1,200 around the world in December, and a further 233 in January.

The SecurityScorecard investigation report reads:

Lazarus has been observed altering legitimate software packages by embedding obfuscated backdoors, deceiving developers into executing these compromised packages. To the untrained eye it goes unnoticed by the victim and successfully executes. These packages may involve anything from cryptocurrency applications to authentication solutions.

This analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide. The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang.

As a result, the threat actor managed to steal data such as credentials, authentication tokens, passwords, among other system information, according to the report.

Patch notes

• Semgrep, the company behind the open source static analysis tool (which recently gained a fork due to conflict in the community), raised $100 million in a Series D round of funding from investors including Sequoia Capital, Menlo Ventures, Lightspeed Venture Partners, and Redpoint Ventures.

• Herodevs, a company that provides long-term support for deprecated open source software, acquired Xeol, a company that scans containers, Linux distributions, and SBOMs to detect end-of-life software packages.

• Apple open-sourced Swift Build, a build engine that powers projects written in Apple’s Swift programming language.

• The Linux Foundation and the Open Source Security Foundation have collaborated on a new effort designed to prepare maintainers, manufacturers, and open source stewards for future cybersecurity legislation, including the impending EU Cyber Resilience Act (CRA) which went into force last year and becomes enforceable from 2027.

• The Linux Foundation released a guide to help open source developers navigate sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC), which may prevent developers from accepting contributions from certain countries (e.g. Russia).