Cybersecurity experts are warning about the emergence of a new sophisticated attack called the CopyPasta License Attack, which poses a serious threat to artificial intelligence tools, especially those used in companies like Coinbase.
This is reported by Business • Media
Attack Mechanism and Its Spread Among AI Tools
According to analysts at HiddenLayer, attackers are embedding malicious code into standard development files such as README.md and LICENSE.txt, using markdown comments. Since artificial intelligence considers these documents as reliable sources of information, the malicious code can automatically spread among various AI assistants. This creates a chain reaction of infection and makes the attack similar to a self-replicating virus.
“The injected code can create a ‘backdoor’, stealthily exfiltrate confidential data, or manipulate important files,” warned HiddenLayer.
Experts note that files infected in this manner become attack vectors for every AI assistant that interacts with them, leading to the rapid spread of malware in code repositories.
Specific Risks for Coinbase and Expert Recommendations
This vulnerability has gained particular attention because the exploit was aimed at Cursor — an AI tool that Coinbase announced in August would be mandatory for all its engineers. At that time, the company even fired employees who refused to work with this AI assistant.
Coinbase CEO Brian Armstrong clarified that up to 40% of the exchange’s code is already written using AI, and this figure is planned to be increased to 50% in the near future. At the same time, he emphasized that critical systems are implemented with greater caution, while the majority of AI-generated code is used for less significant components.
Experts at HiddenLayer recommend that organizations carefully check files for hidden comments and manually review all changes generated by artificial intelligence. They emphasize:
“All unreliable data entering LLM [large language model] contexts should be treated as potentially harmful.”
Additionally, it is noted that recently hackers have begun using Ethereum smart contracts for covertly delivering malicious commands in infected NPM packages, spreading them through GitHub and evading standard cybersecurity measures.