A novel malware that can insert harmful prompts into Cursor—a globally utilized AI coding aid—has been identified by cybersecurity firm HiddenLayer.
An AI coding tool preferred by firms like crypto exchange Coinbase has a weakness that enables the silent insertion of malware, which can then “spread itself across an organization,” a cybersecurity firm states. This weakness has been identified as a significant security risk.
A “CopyPasta License Attack” capable of concealing malicious instructions in common developer files was revealed by HiddenLayer on Thursday. This attack can “introduce deliberate vulnerabilities into codebases that would otherwise be secure.”
“By convincing the underlying model that our payload is actually an important license file that must be included as a comment in every file that is edited by the agent, we can quickly distribute the prompt injection across entire codebases with minimal effort”
HiddenLayer focused its testing of the virus on Cursor, an AI development utility that was designated as the “preferred tool” for most developers by Coinbase’s engineering team in August. By February, it had been utilized by “every Coinbase engineer.”
According to HiddenLayer, the AI coding tools Windsurf, Kiro, and Aider were also revealed to be susceptible to the attack.
CopyPasta Attack Conceals Malicious Code in Common Files
HiddenLayer clarified that the CopyPasta attack embeds clandestine instructions, or “prompt injections,” into LICENSE.txt and README.md files that can steer AI coding tools. This is accomplished without a user’s awareness.
The malware, or the AI prompt injection, is concealed within a markdown annotation—a type of text inside a README file that is utilized for explanatory remarks and is not shown when it is rendered into its final format.
HiddenLayer developed a code repository containing the virus and instructed Cursor to utilize it. The concealed directives then caused the prompt injection to be replicated in the new files that were generated by the tool.
“This mechanism could be adapted to achieve far more nefarious results,” the company said.
The potential for inserted code to create a backdoor, covertly extract confidential information, or introduce resource-depleting processes was highlighted by HiddenLayer. The firm added that the code can also tamper with crucial files to impair development and live environments, all while being embedded deep within files to evade immediate detection.
Coinbase CEO’s AI Mandate Criticized as “Insane”
A negative reaction was prompted by Coinbase CEO Brian Armstrong’s statement on Wednesday that AI had authored as much as 40% of its codebase and his aim to expand this to 50% in the coming month.
A “significant cause for concern for any security-conscious enterprise” was declared by Larry Lyu, founder of the decentralized exchange Dango.
A firm warning to “software company leaders” to avoid this practice was asserted by Carnegie Mellon University computer science professor Jonathan Aldrich. He stated that while AI is a tool, mandating its use at a certain level is “insane.” “I have no interest in using Coinbase, but even if I did,” he added, “I certainly would not trust it with my money after seeing this.”
Coinbase’s goal was labeled “ostentatious and vague” by Delphi Consulting head Ashwath Balakrishnan, who stated it ought to instead direct attention to “new features and fixing existing bugs.” Meanwhile, veteran Bitcoiner Alex Pilař asserted that as a key crypto custodian, Coinbase “should prioritize security.”
Coinbase Deploys AI to “Less-Sensitive” Backend Systems
However, it was clarified by Armstrong in his post that AI-generated code “requires scrutiny and understanding,” and that not all areas of the exchange can utilize it. He added that the technology should be used “responsibly as much as we possibly can.”
The Coinbase engineering team’s online publication noted that AI adoption was most profound in teams working on front-end user interfaces and “less-sensitive data backends,” while a slower uptake had been experienced by “complex and system-critical exchange systems.”
It was noted by the team that leveraging AI for coding “is not a magic-bullet we should expect teams to universally adopt.”
Armstrong Fires Developers for Refusing AI Adoption
On Stripe co-founder John Collison’s podcast last month, Armstrong stated that engineers who refused to experiment with AI tools were terminated after Coinbase procured licenses for Cursor and GitHub Copilot.
He recounted hearing that it would take several months to get engineers to adopt AI, so he admitted he “went rogue” and informed all engineers that the use of the tools was a mandatory requirement.
“I said, ‘AI’s important, we need you to all learn it and at least onboard. You don’t have to use it every day yet until we do some training, but at least onboard by the end of the week, and if not, I’m hosting a meeting on Saturday with everybody who hasn’t done it, and I’d like to meet with you to understand why”
he said
At the meeting, Armstrong disclosed that a few engineers who had failed to utilize AI and offered no valid explanation were terminated, conceding it was a “heavy-handed approach” that “some people really didn’t like.”
