- HiddenLayer alerts about a new “CopyPasta License Attack” that takes advantage of AI coding tools such as Cursor.
- Coinbase’s CEO Brian Armstrong states that AI currently produces 40% of the exchange’s code, aiming for 50% by October.
- Experts criticize the action as hazardous for a security-conscious industry, whereas Armstrong advocates it as essential progress.
A recent cybersecurity alert has overshadowed Coinbase’s bold initiative in AI-driven software creation. Security company HiddenLayer announced on Thursday that a virus called the “CopyPasta License Attack” is capable of exploiting weaknesses in Cursor, the AI coding platform commonly utilized by Coinbase developers.
As reported by HiddenLayer, the attack conceals harmful instructions within typical developer files like LICENSE.txt and README.md. These “prompt injections” can deceive the AI model into disseminating malware throughout entire codebases without user awareness. The company cautioned that inserted code might establish backdoors, steal sensitive information, or disable systems while staying concealed in documentation files.
Cursor, identified by Coinbase engineers earlier this year as their favored coding aide, was discovered to be especially susceptible. Other AI programming tools such as Windsurf, Kiro, and Aider experienced impacts as well.
Newsletter
Get weekly updates on the newest crypto stories, case studies and tips right in your mailbox.
Security risks collide with Coinbase’s AI push
The alert arrives as Coinbase CEO Brian Armstrong disclosed that AI presently produces roughly 40% of the firm’s code, aiming for 50% by October. The declaration provoked backlash from developers and scholars who warned that requiring AI on such a scale in a security-sensitive industry was irresponsible.
Jonathan Aldrich, professor of computer science at Carnegie Mellon University, said: “AI is a tool, but mandating its use at a certain level is insane. I would not trust Coinbase with my money after seeing this.”
Armstrong has supported the method, stating that AI-generated code is consistently examined and is predominantly used in “less-sensitive data backends,” with a more gradual implementation in mission-critical systems. He has also acknowledged dismissing engineers who were unwilling to utilize AI tools such as Cursor and GitHub Copilot, calling it a “heavy-handed approach” yet essential for innovation.
Following the revelation of the CopyPasta exploit, Coinbase is under increasing pressure to align its responsibilities as a crypto custodian with the dangers of depending heavily on new AI technologies.
