Overview
Severity: CRITICAL | Affected: CodeSynth | Category: incident
The popular AI code generation service, CodeSynth, has confirmed a security incident where malicious actors successfully poisoned a segment of its training data. The attackers subtly injected code snippets containing a sophisticated, dormant backdoor into a widely-used open-source repository that was later scraped for a model training cycle. The compromised CodeSynth model then recommended this backdoored code to developers, which was subsequently integrated into several high-profile software applications. The backdoor was activated last week, leading to data exfiltration from at least three tech companies. This incident is a critical example of an AI supply chain attack and highlights the immense challenge of validating the terabytes of data used to train modern foundation models, raising urgent questions about data provenance and security in MLOps pipelines.