AI Coding Tool Used by Coinbase Exposes Firms to Self-Spreading Malware

A newly disclosed vulnerability in an AI-powered coding instrument favored by Coinbase has raised alarms throughout the cybersecurity and crypto communities.

According to cybersecurity firm HiddenLayer, the flaw permits attackers to stealthily inject malicious code that may unfold throughout a complete group’s codebase with minimal consumer interplay.

The assault, dubbed the “CopyPasta License Attack,” exploits how AI instruments interpret widespread developer information like LICENSE.txt and README.md.

AI Code Assistants Exposed to Malware by way of Hidden Markdown

By embedding dangerous directions in markdown feedback, usually hidden from rendered views, attackers can manipulate AI code assistants into propagating malware with out builders realizing.

“Injected code may stage a backdoor, exfiltrate delicate knowledge, or manipulate vital methods, all whereas remaining buried deep inside information,” HiddenLayer stated in a Thursday report.

The agency demonstrated the exploit utilizing Cursor, the AI coding assistant reportedly adopted by each Coinbase engineer as of February.

HiddenLayer stated comparable vulnerabilities had been current in different instruments together with Windsurf, Kiro, and Aider.

The concern comes only a day after Coinbase CEO Brian Armstrong claimed that AI now writes up to 40% of the corporate’s code, a determine he goals to push to 50% subsequent month.

The announcement drew criticism from cybersecurity specialists, builders, and crypto insiders who warned of the dangers tied to mandated AI adoption.

“This is a huge pink flag for any security-sensitive enterprise,” stated Larry Lyu, founding father of decentralized change Dango.

Carnegie Mellon professor Jonathan Aldrich known as the coverage “insane,” including that he wouldn’t belief Coinbase together with his funds after listening to it.

~40% of day by day code written at Coinbase is AI-generated. I would like to get it to >50% by October.

Obviously it wants to be reviewed and understood, and never all areas of the enterprise can use AI-generated code. But we ought to be utilizing it responsibly as a lot as we probably can. pic.twitter.com/Nmnsdxgosp

— Brian Armstrong (@brian_armstrong) September 3, 2025

Delphi Consulting’s Ashwath Balakrishnan known as the push “performative and obscure,” whereas Bitcoiner Alex Pilař harassed that Coinbase, as a significant crypto custodian, ought to prioritize safety over AI adoption metrics.

Armstrong has defended the move, saying AI-generated code should nonetheless be reviewed and isn’t utilized in all components of the enterprise.

In a weblog put up, Coinbase’s engineering group clarified that AI use is extra widespread in front-end and less-sensitive methods, whereas “system-critical change methods” stay extra cautiously managed.

However, Armstrong admitted throughout a podcast with Stripe co-founder John Collison that he had enforced AI onboarding at Coinbase, going so far as firing engineers who refused to use the instruments.

“I went rogue,” Armstrong stated. “They bought fired.”

TIME Names Coinbase a 2025 ‘Disruptor’ Among Most Influential Companies

As reported, TIME has recognized Coinbase as one of 2025’s 100 Most Influential Companies, labeling the crypto change a “disruptor” for its important position in shaping US digital asset insurance policies and markets.

TIME famous the change as a key driver behind the business’s coverage efforts and predicted Coinbase may grow to be the central hub for crypto buying and selling within the US.

Beyond the US, Coinbase is broadening its attain in Europe, securing a license underneath the EU’s MiCA regulatory framework by way of Luxembourg’s monetary regulator.

The put up AI Coding Tool Used by Coinbase Exposes Firms to Self-Spreading Malware appeared first on Cryptonews.