AI Coding Tool Used by Coinbase Exposes Firms to Self-Spreading
0Adoption
AI
Coinbase
The flaw allows attackers to stealthily inject malicious code that can spread across an entire organization’s codebase with minimal user interaction.
Crypto Journalist
Amin Ayan
Crypto Journalist
Amin Ayan
About Author
Amin Ayan is a crypto journalist with over four years of experience in the industry. He has contributed to leading publications such as Cryptonews, Investing.com, 99Bitcoins, and 24/7 Wall St. He has...
Author Profile
Share
Copied
Last updated:
3 hours ago
A newly disclosed vulnerability in an AI-powered coding tool favored by Coinbase has raised alarms across the cybersecurity and crypto communities.
Key Takeaways:
A new AI coding exploit can silently spread malware across entire codebases using hidden markdown instructions.
Coinbase’s preferred tool, Cursor, is among several AI assistants shown to be vulnerable.
CEO Brian Armstrong’s aggressive AI rollout has sparked backlash from developers and security experts.
According to cybersecurity firm HiddenLayer, the flaw allows attackers to stealthily inject malicious code that can spread across an entire organization’s codebase with minimal user interaction.
The attack, dubbed the “CopyPasta License Attack,” exploits how AI tools interpret common developer files like LICENSE.txt and README.md.
AI Code Assistants Exposed to Malware via Hidden Markdown.
By embedding harmful instructions in markdown comments, often hidden from rendered views, attackers can manipulate AI code assistants into propagating malware without developers realizing.
“Injected code could stage a backdoor, exfiltrate sensitive data, or manipulate critical systems, all while remaining buried deep inside files,” HiddenLayer said in a Thursday report.
The firm demonstrated the exploit using Cursor, the AI coding assistant reportedly adopted by every Coinbase engineer as of February.
HiddenLayer said similar vulnerabilities were present in other tools including Windsurf, Kiro, and Aider.
The concern comes just a day after Coinbase CEO Brian Armstrong claimed that AI now writes up to 40% of the company’s code, a figure he aims to push to 50% next month.
The announcement drew criticism from cybersecurity experts, developers, and crypto insiders who warned of the risks tied to mandated AI adoption.
“This is a giant red flag for any security-sensitive business,” said Larry Lyu, founder of decentralized exchange Dango.
Carnegie Mellon professor Jonathan Aldrich called the policy “insane,” adding that he would not trust Coinbase with his funds after hearing it.
Delphi Consulting’s Ashwath Balakrishnan called the push “performative and vague,” while Bitcoiner Alex Pilař stressed that Coinbase, as a major crypto custodian, should prioritize security over AI adoption metrics.
Armstrong has defended the move, saying AI-generated code must still be reviewed and is not used in all parts of the business.
In a blog post, Coinbase’s engineering team clarified that AI use is more common in front-end and less-sensitive systems, while “system-critical exchange systems” remain more cautiously managed.
However, Armstrong admitted during a podcast with Stripe co-founder John Collison that he had enforced AI onboarding at Coinbase, going as far as firing engineers who refused to use the tools.
“I went rogue,” Armstrong said. “They got fired.”
TIME Names Coinbase a 2025 ‘Disruptor’ Among Most Influential Companies.
As reported, TIME has...
https://cryptonews.com/news/ai-coding-tool-used-by-coinbase-exposes-firms-to-self-spreading-malware/
#crypto #bitcoin #ethereum #cryptocurrency #news #blockchain #litecoin #cryptonews #cryptonewstoday #cryptoworld #cryptonewstoday
***NOT FINANCIAL, LEGAL, OR TAX ADVICE! JUST OPINION! I AM NOT AN EXPERT! I DO NOT GUARANTEE A PARTICULAR OUTCOME I HAVE NO INSIDE KNOWLEDGE! YOU NEED TO DO YOUR OWN RESEARCH AND MAKE YOUR OWN DECISIONS! THIS IS JUST ENTERTAINMENT!
This information is what was found publicly on the internet. This information could’ve been doctored or misrepresented by the internet. All information is meant for public awareness and is public domain. This information is not intended to slander harm or defame any of the actors involved but to show what was said through their social media accounts. Please take this information and do your own research.
bitcoin, blockchain, crypto, cryptocurrency, altcoin, investment, ethereum, bitcoin crash, xrp, cardano, ripple