Overview
Severity: CRITICAL | Affected: Cognition AI | Category: breach
Cognition AI, the company behind the AI software engineer 'Devin', announced a significant security breach. Attackers linked to a state-sponsored threat actor gained access to their core infrastructure by compromising a key developer's credentials via a sophisticated phishing attack. The breach resulted in the exfiltration of pre-trained model weights for an unreleased, next-generation version of Devin, along with a database containing over 50,000 customer code repositories and associated interaction logs. The incident highlights the immense value of proprietary model weights as a target for industrial espionage. Cognition AI has initiated a full-scale incident response, notified affected customers, and is working with federal law enforcement. The company's stock fell sharply following the disclosure, and the incident has triggered industry-wide reviews of security protocols for protecting core AI intellectual property and sensitive training data. The attackers are believed to have maintained access for several weeks before detection.