Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders.

The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack.

Decrypting browser credentials, listing what sits in Windows’ credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders.

What has changed is who is generating it. On the machines Sophos watched, it was often a developer’s AI assistant going about ordinary work.

What set the alarms off

The analysis draws on seven days of telemetry from June 2026, taken from Sophos’s behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor’s fleet, not an industry census.

Sophos’s charts put credential access at 56.2 percent of the blocked activity and execution at 28.8 percent: agents reaching for stored secrets, or running code the way attackers do.

The biggest credential-access rule, at 42.6 percent of that group, fires when a process uses Windows’ built-in Data Protection API, or DPAPI, to decrypt the browser’s stored credential data. Sophos calls GStack a widely adopted skill pack for coding agents.

Its /browse skill does exactly that, running PowerShell that calls DPAPI to unlock saved browser data. Sophos caught it running under Claude Code. In context, it is almost certainly browser automation on the user’s behalf. To the detection engine, it is credential theft, and the rule is right to fire.

Some Python examples looked worse on paper. In one instance, Claude Code shut down the running browser and ran a script that pulled data from its credential store.

Separately, it ran cmdkey /list to enumerate the credentials Windows Credential Manager was holding. Sophos notes that Claude Code here ran with its –dangerously-skip-permissions flag set, a mode Anthropic’s own documentation warns against and tells administrators how to block.

When one approach fails, an agent tries another. OpenAI Codex did just that, fetching a Python installer from the real python.org, starting with certutil. That was blocked, so it switched to bitsadmin. Both are legitimate Windows utilities that attackers routinely abuse to pull payloads, living off the land.

The target was harmless, but Sophos’s point is that this pivot-when-blocked behavior is what separates a live attacker from a static script, and benign agents now do it too.

Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run every time the machine booted. Sophos could not confirm what the script did, but writing to startup outside a trusted installer is the kind of thing defenders flag on sight.

AI agents on both sides of the line

The flip side is already visible. A month earlier, Sophos 


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 8, 2026