Blockchain security firm SlowMist has issued an urgent warning about a critical vulnerability in mainstream AI-powered coding tools and integrated development environments (IDEs) that poses a severe threat to cryptocurrency developers. The flaw allows malware to execute automatically on a developer's system through simple, routine actions like opening an untrusted project folder, requiring no additional user interaction on both Windows and macOS.
The attack vector, first documented by cybersecurity firm HiddenLayer in September as the "CopyPasta License Attack," manipulates how AI assistants interpret common project files such as LICENSE.txt and README.md. Attackers embed malicious instructions within markdown comments that remain hidden in rendered views but are read and executed by AI tools, propagating malware across entire codebases. This can lead to backdoors, data exfiltration, or system manipulation.
Tools confirmed as vulnerable include Cursor, Windsurf, Kiro, and Aider, with Cursor users facing particularly severe exposure. SlowMist's threat intelligence team reports that several developers have already been compromised. The disclosure comes amid an aggressive push for AI adoption in crypto development, notably highlighted by Coinbase CEO Brian Armstrong's mandate for engineers to use AI tools, aiming for 50% AI-generated code by October 2025.
Concurrently, nation-state threat actors are escalating attacks on the crypto sector. North Korean groups, including UNC5342 documented by Google, have weaponized blockchain technology to distribute malware. They are embedding malicious payloads like JADESNOW and INVISIBLEFERRET within smart contracts on Ethereum and BNB Smart Chain, creating a decentralized, hard-to-dismantle command-and-control infrastructure. Other campaigns, such as "Contagious Interview," use fake companies and job interviews to target developers with malware like BeaverTail and OtterCookie.
Further compounding the threat landscape, research from Anthropic revealed that AI agents can successfully exploit smart contracts, with models like Claude Opus 4.5 and GPT-5 discovering zero-day vulnerabilities in live contracts. Separately, data from Chainabuse shows AI-powered crypto scams surged 456% between May 2024 and April 2025, with 60% of scam wallet deposits now originating from AI-driven schemes. Despite these rising sophisticated threats, overall crypto hack losses saw a sharp decline, falling 60% month-on-month to about $76 million in December 2025, according to PeckShield.
