Overview
Severity: CRITICAL | Affected: CodeWeaver | Category: breach
CodeWeaver, a popular AI-powered code completion and generation service, has disclosed a major security breach affecting thousands of corporate and individual users. Attackers exploited a vulnerability in the platform's model fine-tuning pipeline, allowing them to poison the training data with malicious code. This 'model poisoning' attack caused the production AI model to inadvertently leak snippets of private source code from one user's repository into the code suggestions provided to other users. The breach exposed sensitive intellectual property, API keys, and proprietary algorithms from several Fortune 500 companies that used the service. CodeWeaver has taken its fine-tuning services offline and is working with cybersecurity experts to audit its MLOps pipeline. The incident serves as a stark reminder of the unique data privacy risks associated with training AI models on user-provided data.