A newly revealed vulnerability in an AI-powered coding tool, favored by the cryptocurrency exchange Coinbase, has raised significant concerns within both cybersecurity and crypto communities. The exploit reportedly allows attackers to silently inject malicious code that can proliferate through an organization’s entire codebase with minimal user engagement.
The flaw, identified by cybersecurity firm HiddenLayer, leverages the way AI tools process common developer files such as LICENSE.txt and README.md. Dubbed the “CopyPasta License Attack,” this exploit involves embedding harmful instructions in markdown comments that often go unnoticed by developers, allowing the malware to spread without detection. According to HiddenLayer, the consequences of such an attack could include backdoors being established in systems, sensitive data being compromised, or manipulation of crucial operational features—all while remaining concealed within the code.
Cursor, the AI coding assistant embraced by all Coinbase engineers as of February, was specifically tested, and the vulnerabilities were found to extend to other tools like Windsurf, Kiro, and Aider. The timing of this revelation comes just a day after Coinbase’s CEO, Brian Armstrong, stated that AI is responsible for generating approximately 40% of the company’s coding efforts, with intentions to raise that figure to over 50% by the following month.
This aggressive push toward AI integration has triggered backlash from developers, cybersecurity experts, and insiders in the crypto industry who express alarm over the potential risks associated with mandated AI usage in sensitive areas. Larry Lyu, founder of decentralized exchange Dango, labeled the situation as a glaring warning for security-focused businesses. Meanwhile, Jonathan Aldrich, a professor at Carnegie Mellon, criticized the policy as “insane,” expressing his lack of trust in Coinbase’s handling of assets under such conditions.
On social media, Armstrong defended the move, clarifying that while AI-generated code is gaining traction, it is subject to rigorous review and is not injected uniformly across all facets of the business. The engineering team at Coinbase further emphasized that AI usage is predominantly confined to less critical areas, ensuring that essential trading systems are managed with higher caution.
Despite these assurances, Armstrong acknowledged during a podcast that he has taken decisive actions to enforce AI adoption, even terminating employees who were resistant to the tools. He remarked, “I went rogue. They got fired.”
In a broader context, TIME magazine recently recognized Coinbase as one of the “100 Most Influential Companies” for 2025, branding it a “disruptor” in the crypto realm for its pivotal role in shaping U.S. digital asset policies and markets. The publication noted Coinbase’s influence as a driving force behind industry policy efforts and hinted at its potential to become the focal point for crypto trading in the United States. Additionally, Coinbase is expanding its operations in Europe, having secured a license under the EU’s MiCA regulatory framework through Luxembourg’s financial authority.
