‘CopyPasta’ Attack Shows How Prompt Injections Could Infect AI at Scale

Hackers can now arm AI coding assistants who use nothing more than a booby-prisoner of license file, so that developer tools are converted into silent spreaders of malignant code. That is according to a new one report From CyberSecurity Firm Hiddenlayer, who shows how AI can be misled in blind copying from malware to projects.

The proof-of-concept-technique-de “copypasta License Attack” explains how AI tools deal with common developer files such as Licens.txt and Readme.md. By entering hidden instructions, or ‘fast injections’, in these documents, attackers can manipulate AI agents to inject malignant code without the user ever realizing it.

“We have recommended to have runtime defenses against indirect fast injections, and to ensure that every change that is added in a file is thoroughly assessed,” said Kenneth Yeung, a researcher at HiddenLayer and the author of the report, said Decodeer.

Copypasta is considered a virus instead of a worm, Yeung explained because it still requires user action to spread. “A user must act in one way or another for the evil load to spread,” he said.

Despite the requirement of any user interaction, the virus is designed to slip beyond human attention by using the way in which developers in AI agents trust to handle routine documentation.

“Copypasta hides in invisible remarks in Readme files, which often delegate developers to AI agents or language models to write,” he said. “That enables it to spread in a secret, almost non -detectable way.”

Copypasta is not the first attempt to infect AI systems. In 2024, researchers presented a theoretical attack called Morris IIDesigned to manipulate AI -Mailagen to distribute spam and steal data. Although the attack had a high theoretical success rate, it failed in practice due to limited agent capacities, and the steps of human assessment have so far prevented such attacks in the wild.

Although the Copypasta attack is for the time being a laboratory-tight proof of concept, researchers say that it emphasizes how AI assistants can become ignorant compliciters in to attack.

The core issue, says researchers, is trust. AI agents are programmed to treat license files as important, and they often obey embedded instructions without control. This opens the door for attackers to use weaknesses – especially because these tools get more autonomy.

Copypasta follows a series of recent warnings about fast injection attacks focused on AI tools.

In July, OpenAi CEO Sam Altman warned of fast injection attacks when the company rolled out its chatgpt agent, and noticed that malignant prompts could hijack the behavior of an agent. This warning was followed in August, when Brave Software demonstrated a fast injection error in the browser extension of Pertlexity AI, which shows how hidden commands in a Reddit remark the assistant -leak private data could leak.