A new exploit targeting AI coding assistants has raised alarms across the developer community, opening companies such as crypto exchange Coinbase to the risk of potential attacks if extensive safeguards aren’t in place.
Cybersecurity firm HiddenLayer disclosed Thursday that attackers can weaponize a so-called “CopyPasta License Attack” to inject hidden instructions into common developer files.
The exploit primarily affects Cursor, an AI-powered coding tool that Coinbase engineers said in August was among the team’s AI tools. Cursor is said to have been used by “every Coinbase engineer.”
How the attack works
The technique takes advantage of how AI coding assistants treat licensing files as authoritative instructions. By embedding malicious payloads in hidden markdown comments within files such as LICENSE.txt, the exploit convinces the model that these instructions must be preserved and replicated across every file it touches.
Once the AI accepts the “license” as legitimate, it automatically propagates the injected code into new or edited files, spreading without direct user input.
This approach sidesteps traditional malware detection because the malicious commands are disguised as harmless documentation, allowing the virus to spread through an entire codebase without a developer’s knowledge.
In its report, HiddenLayer researchers demonstrated how Cursor could be tricked into adding backdoors, siphoning sensitive data, or running resource-draining commands — all disguised inside seemingly innocuous project files.
“Injected code could stage a backdoor, silently exfiltrate sensitive data or manipulate critical files,” the firm said.
Coinbase CEO Brian Armstrong said on Thursday that AI had written up to 40% of the exchange’s code, with a goal of reaching 50% by next month.
However, Armstrong clarified that AI-assisted coding at Coinbase is concentrated in user interface and non-sensitive backends, with “complex and system-critical systems” adopting more slowly.
‘Potentially malicious’
Even so, the optics of a virus targeting Coinbase’s preferred tool amplified industry criticism.
AI prompt injections are not new, but the CopyPasta method advances the threat model by enabling semi-autonomous spread. Instead of targeting a single user, infected files become vectors that compromise every other AI agent that reads them, creating a chain reaction across repositories.
Compared to earlier AI “worm” concepts like Morris II, which hijacked email agents to spam or exfiltrate data, CopyPasta is more insidious because it leverages trusted developer workflows. Instead of requiring user approval or interaction, it embeds itself in files that every coding agent naturally references.
Where Morris II fell short due to human checks on email activity, CopyPasta thrives by hiding inside documentation that developers rarely scrutinize.
Security teams are now urging organizations to scan files for hidden comments and review all AI-generated changes manually.
“All untrusted data entering LLM contexts should be treated as potentially malicious,” HiddenLayer warned, calling for systematic detection before prompt-based attacks scale further.
