Coinbase’s AI coding tool could be exploited through a backdoor

The Coinbase CEO may have strong-armed his company to use AI tools Cursor, but according to Cybersecurity platform HiddenLayer, that move could put the exchange at risk.

Coinbase developers’ most favored AI coding assistant has been found vulnerable to a cyberattack that can implant hidden malware and compromise the entire organization, according to a new report from cybersecurity company HiddenLayer.

In a blog published late Thursday, HiddenLayer wrote the attack exposes weaknesses in Cursor’s code editor through an exploit known as a “CopyPasta License Attack,” a method that seems harmless on the outside, but embeds malicious instructions into common developer files.

HiddenLayer discovers CopyPasta attack

Cursor provides intelligent autocomplete, automated code suggestions, and real-time error detection to help developers simplify coding. But in Auto-Run mode, where the software can execute commands automatically, the researchers discovered a flaw that bypasses protections meant to prevent unsafe instructions from running without approval.

HiddenLayer propounded that the CopyPasta attack takes advantage of system prompts within Cursor that is imperative to software licensing compliance. It mimics licensing text like GPL agreements, and then disguises itself as a README markdown text.

The attack also uses hidden comments in markdown files and syntax-based inputs to masquerade malicious instructions as authoritative developer commands.

“When combined with malicious instructions, the CopyPasta attack is able to simultaneously replicate itself in an obfuscated manner to new repositories and introduce deliberate vulnerabilities into codebases that would otherwise be secure,” HiddenLayer said in its disclosure.

In testing, researchers used a harmless payload that inserted a single line of code at the start of any Python file. But they warned the same method could be used during security breaches, including planting backdoors, exfiltrating sensitive data, consuming system resources, or corrupting production environments.

Researchers compared it to experiments such as the “Morris II” attack, for example, which showed how email agents could be tricked into spamming or leaking data while reproducing themselves. Morris II had a high theoretical success rate, but it was limited in practice because email systems still required human review before messages were sent.

HiddenLayer said other AI coding assistants, such as Windsurf, Kiro, and Aider, also propagate the CopyPasta exploit to new files in a way that is not easily detected. The vulnerability was reported independently by both HiddenLayer and security group BackSlash. 

Coinbase engineers under heavy AI coding

As reported by Cryptopolitan yesterday, Coinbase CEO Brian Armstrong disclosed that the exchange’s engineering team is using Cursor as its preferred tool for most of its work, with plans to make “every Coinbase engineer” using it by February next year.

The company head told Stripe co-founder John Collison in a podcast late August that he gave developers one week to start using GitHub Copilot and Cursor, or lose their jobs.

“I went rogue and posted in the all-in Slack channel. AI’s important. We need you to all learn it and at least onboard. You don’t have to use it every day yet until we do some training, but at least onboard by the end of the week. If not, I’m hosting a meeting on Saturday with everybody who hasn’t done it, and I’d like to meet with you to understand why,” Armstrong surmised.

On Wednesday, he posted on X that AI was responsible for writing as much as 40% of the company’s code, and was expecting that figure to rise to 50% by next month.

Armstrong has been one of Silicon Valley’s most vocal supporters of integrating AI into corporate workflows. But his insistence that engineers adopt AI coding tools does not sit well with some community members.

If you're reading this, you’re already ahead. Stay there with our newsletter.