Overview
Severity: CRITICAL | Affected: ChromaAI | Category: breach
A significant data breach at ChromaAI, a leading generative AI provider, has exposed sensitive intellectual property, including pre-release model weights for their upcoming 'Chroma-5' LLM. The breach, attributed to a sophisticated state-sponsored threat actor, also compromised a database containing millions of user prompts and personally identifiable information (PII). The attackers reportedly exploited a zero-day vulnerability in a third-party data processing library used within ChromaAI's internal MLOps pipeline. The company has initiated a full-scale investigation with cybersecurity firm Mandiant and is notifying affected users. The incident highlights the growing threat of industrial espionage targeting AI companies' core assets and the critical need for robust supply chain security in AI development.