HiddenLayer Warns of “CopyPasta License Attack” That Could Spread Across Entire Codebases
A new cybersecurity threat has emerged targeting Cursor, the AI-powered coding tool widely used by developers at Coinbase and beyond. According to cybersecurity firm HiddenLayer, the exploit — dubbed the “CopyPasta License Attack” — can silently inject malicious prompts into commonly used developer files, enabling hackers to spread malware across entire organizations.
The virus hides in files such as LICENSE.txt and README.md, embedding instructions that AI coding tools interpret as mandatory comments. Once activated, the AI replicates the injected code throughout edited files, potentially compromising entire codebases.
HiddenLayer warned that this method could be adapted to deliver backdoors, data exfiltration, or system disruption, all while avoiding immediate detection.
Coinbase Developers Rely Heavily on Cursor
Coinbase’s engineering team revealed earlier this year that Cursor had become the preferred coding assistant for most of its developers, with adoption deepening since February.
HiddenLayer confirmed that other AI coding tools — including Windsurf, Kiro, and Aider — are also vulnerable to the same attack vector.
Armstrong’s Push for AI Raises Security Concerns
The report comes just days after Coinbase CEO Brian Armstrong said AI was already generating 40% of the company’s code, with a goal of reaching 50% by next month.
His remarks triggered sharp criticism from industry leaders. Larry Lyu, founder of DEX Dango, called it a “giant red flag.” Jonathan Aldrich, computer science professor at Carnegie Mellon University, labeled the mandate “insane,” warning that a security-sensitive company should not rely so heavily on AI code.
This is a giant red flag for any security sensitive business https://t.co/2x23cP0TqR
— Larry Engineer 🍡 (@larry0x) September 4, 2025
Others, including Ashwath Balakrishnan of Delphi Consulting, argued Coinbase should prioritize fixing bugs and developing features rather than chasing AI quotas.
Coinbase Responds: AI Limited to “Less-Sensitive” Systems
In response to criticism, Armstrong said AI code “needs to be reviewed and understood” before deployment. Coinbase’s engineering team emphasized that AI is mainly being used in front-end interfaces and less-sensitive backends, while critical exchange systems remain largely human-coded.
Still, Armstrong admitted on a podcast that he fired engineers who refused to adopt AI tools, acknowledging it was a “heavy-handed approach” that upset some staff.
The Bigger Picture: Security vs. AI Adoption
The CopyPasta License Attack highlights growing risks as AI coding tools spread across the tech industry. While AI accelerates development, its vulnerabilities may expose companies like Coinbase — which manages billions in crypto assets — to new classes of threats.
Security experts say the incident underscores the need for rigorous code reviews, stronger developer hygiene, and tighter oversight of AI coding integrations.
📌 Summary: Coinbase’s aggressive AI adoption strategy has left it vulnerable to prompt injection attacks. As tools like Cursor become central to coding workflows, the industry faces a balancing act between AI-driven efficiency and robust cybersecurity protections.
