Coinbase AI Tool Found Vulnerable To CopyPasta Virus
Vulnerability in Coinbase’s AI-powered coding tool
Cybersecurity firm HiddenLayer has revealed that Coinbase’s widely used AI coding tool may contain a critical vulnerability. The flaw allows attackers to inject malware hidden in LICENSE or README files, which can then spread across the entire codebase.
HiddenLayer described this as a “CopyPasta Attack”, a form of prompt injection concealed inside markdown files. When AI-powered coding assistants such as Cursor, Windsurf, Kiro, or Aider process these files, the malicious instructions are unknowingly replicated and distributed throughout the project.
Security risks for Coinbase’s infrastructure
According to the report, the injected code could:
- Create backdoors to steal sensitive data
- Run resource-draining tasks to cripple systems
- Manipulate critical files to disrupt development and production environments
Cursor — the tool that Coinbase admitted “every engineer uses” — was the main target in HiddenLayer’s tests.
Coinbase CEO sparks backlash over AI mandate
The news broke just a day after Coinbase CEO Brian Armstrong announced that 40% of the company’s code is now written by AI, with a target of 50% next month. The statement triggered strong criticism from security experts and developers.
Many argued that forcing engineers to rely on AI is reckless. Carnegie Mellon computer science professor Jonathan Aldrich commented:
“AI is a tool, not a mandate. I would never trust my money with a crypto exchange that relies so heavily on AI.”
Armstrong even admitted to firing engineers who refused to use AI tools, a move many described as heavy-handed and risky for a security-sensitive company.
Coinbase insists AI is used in “less sensitive systems”
In response to the criticism, Coinbase emphasized that AI is mainly applied in Front-End development and less critical data platforms, while core exchange infrastructure adopts it at a much slower pace.
The company stressed that AI-generated code is not automatically trusted — it must still be reviewed and validated by engineers before integration.
The percentage of AI-generated lines of code (LOC) across Coinbase shows that the organization’s development team uses AI the least. Source: Coinbase
Disclaimer: The content above reflects the author’s personal views and does not represent any official position of Cobic News. The information provided is for informational purposes only and should not be considered as investment advice from Cobic News.