Coinbase just announced an increase in its dependence on AI-driven coding
A new report from cybersecurity company HiddenLayer is raising concerns about Coinbase’s reliance on artificial intelligence tools for software development. The firm said Thursday that it discovered a vulnerability known as the “CopyPasta License Attack,” which can be used to sneak malicious instructions into files commonly included in coding projects, such as README.md and LICENSE.txt.
According to HiddenLayer, the exploit can trick AI-powered coding assistants into copying hidden commands across entire codebases. Once embedded, these instructions could be used to install backdoors, exfiltrate data, or degrade system performance, all without immediate detection.
The research team showed how Cursor — the AI tool Coinbase has promoted internally as its preferred developer assistant — could replicate the hidden payload across new files with minimal human involvement. Other AI coding platforms, including Windsurf, Kiro, and Aider, were also found to be at risk.
The findings come shortly after Coinbase CEO Brian Armstrong said AI now writes more than 40% of the exchange’s code, a figure he hopes to push to 50% within weeks. That disclosure drew criticism from security experts, who argue that mandating heavy AI use in a financial services company exposes customers to unnecessary risks.
Carnegie Mellon computer science professor Jonathan Aldrich called the approach “insane,” while other industry figures urged Coinbase to focus on improving reliability rather than chasing AI benchmarks.
Coinbase has defended its strategy, saying AI-generated code is reviewed and applied primarily to user interface work and non-critical systems, while core exchange infrastructure has adopted it more cautiously. Armstrong has acknowledged that his decision to require engineers to onboard with AI tools was forceful — even admitting he fired staff who resisted — but maintains the technology is vital for staying competitive.
