A new feat targeting AI coding assistants has raised alarms in the developer community, opening companies such as Crypto Exchange Coinbase at the risk of potential attacks if extensive guarantees are not in place.
Cybersecurity company Hiddenlayer revealed Thursday that attackers can armed a so-called “Copypasta license attack” to inject hidden instructions into current developer files.
The feat mainly affects Cursor, a coding tool fueled by AI which, according to the engineers of Coinbase, was one of the team’s AI tools. The cursor would have been used by “every coinbase engineer”.
How does the attack work
The technique takes advantage of how AI coding assistants deal with license files as authority. By incorporating malicious useful loads into hidden brand comments in files such as LIGENS.TXT, the feat convinces the model that these instructions must be preserved and reproduced on each file it touches.
Once AI accepts the “license” as legitimate, it automatically propagates the code injected into new or edited files, spreading without direct user input.
This approach avoids the traditional detection of malicious software because malicious commands are disguised as harmless documentation, allowing the virus to spread through an entire code base without the knowledge of a developer.
In his report, Hiddenlayer researchers demonstrated how Cursor could be deceived in the addition of baths, siphon sensitive data or execute resource drainage commands – all disguised in apparently harmless project files.
“The injected code could stage a stolen door, silently exfiltrating sensitive data or manipulating critical files,” said the company.
CEO of Coinbase, Brian Armstrong, said on Thursday that AI wrote up to 40% of the exchange code, in order to reach 50% next month.
~ 40% of the daily code written in Coinbase is generated by AI. I want to do it at> 50% by October.
Obviously, it must be examined and understood, and all areas of the company cannot use code generated by AI. But we should use it as much as possible. pic.twitter.com/nmnsdxgosp
– Brian Armstrong (@brian_armstrong) September 3, 2025
However, Armstrong clarified that the coding assisted by AI in Coinbase is concentrated in the user interface and the non -sensitive backends, with “complex and critical systems” adopting more slowly.
“Potentially malicious”
Despite this, the optics of a virus targeting the favorite Coinbase tool has amplified criticism from the industry.
The rapid injections of AI are not new, but the Copypasta method advances the threat model by allowing semi-autonomous spread. Instead of targeting a single user, infected files become vectors that compromise all other AI agents who read them, creating a chain reaction between the standards.
Compared to the previous concepts of the “worm” AI like Morris II, who diverted messaging agents for spam or data exfiltrate, Copypasta is more insidious because he exploits the confidence of trust workflows. Instead of requiring user approval or interaction, it is integrated into files that each coding agent naturally refers.
When Morris II failed due to human checks on e-mail activity, Copypasta thrives by hiding documentation inside that developers rarely examine.
The security teams now urged organizations to scan files for hidden comments and to consult all the modifications generated by the AI.
“All the unreliable data entering LLM contexts must be processed as potentially malicious,” warned Hiddenlayer, calling for systematic detection before close -up attacks evolve more.
(Coindesk contacted Coinbase for comments on the attack vector.)
