Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders.
The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack.
Decrypting browser credentials, listing what sits in Windows' credential store, pulling files down with built-in system tools, writing to the startup folder: these have long been high-signal to defenders.
What has changed is who is generating it. On the machines Sophos watched, it was often a developer's AI assistant going about ordinary work.
What set the alarms off
The analysis draws on seven days of telemetry from June 2026, taken from Sophos's behavioral engine on Windows and counted by unique machines, not raw event volume. It is a narrow window on one vendor's fleet, not an industry census.
Sophos's charts put credential access at 56.2 percent of the blocked activity and execution at 28.8 percent: agents reaching for stored secrets, or running code the way attackers do.
The biggest credential-access rule, at 42.6 percent of that group, fires when a process uses Windows' built-in Data Protection API, or DPAPI, to decrypt the browser's stored credential data. Sophos calls GStack a widely adopted skill pack for coding agents.
Its /browse skill does exactly that, running PowerShell that calls DPAPI to unlock saved browser data. Sophos caught it running under Claude Code. In context, it is almost certainly browser automation on the user's behalf. To the detection engine, it is credential theft, and the rule is right to fire.
Some Python examples looked worse on paper. In one instance, Claude Code shut down the running browser and ran a script that pulled data from its credential store.
Separately, it ran cmdkey /list to enumerate the credentials Windows Credential Manager was holding. Sophos notes that Claude Code here ran with its --dangerously-skip-permissions flag set, a mode Anthropic's own documentation warns against and tells administrators how to block.
When one approach fails, an agent tries another. OpenAI Codex did just that, fetching a Python installer from the real python.org, starting with certutil. That was blocked, so it switched to bitsadmin. Both are legitimate Windows utilities that attackers routinely abuse to pull payloads, living off the land.
The target was harmless, but Sophos's point is that this pivot-when-blocked behavior is what separates a live attacker from a static script, and benign agents now do it too.
Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run every time the machine booted. Sophos could not confirm what the script did, but writing to startup outside a trusted installer is the kind of thing defenders flag on sight.
AI agents on both sides of the line
The flip side is already visible. A month earlier, Sophos documented an attacker who used AI agents to build and test malware against EDR products, one of them running Claude Opus 4.5 to coordinate the work.
That was development-time: agents helping an attacker write better tooling. Agents get turned on their own users at runtime, too. In a separate case, researchers showed a coding agent could be tricked into running attacker code through poisoned inputs, a chain that can slip past EDR because the agent is acting inside the user's trusted session.
These are separate events with different rules firing, but they share a surface: browser credential calls, LOLBin downloads, and startup writes now come from benign agents, attacker-run agents, and hijacked agents.
That is why the raw action tells you less than it once did. And it sits inside a bigger change in how intrusions look. CrowdStrike's 2026 Global Threat Report found 82 percent of 2025 detections were malware-free, with attackers moving through valid credentials and trusted tools instead of dropping files.
That shift is what pushed detection toward behavior in the first place. AI agents now generate the same behavior for ordinary reasons, crowding the exact signal defenders came to rely on.
What it means for defenders
If developers run these agents under their own accounts, expect endpoint rules to fire on their machines. Sophos's answer is to split the rules by what they catch. Execution noise from an agent retrying a download or emitting oddly formatted PowerShell can usually be scoped.
Key the rule to the agent's parent process (claude.exe, cursor.exe, and their child processes), its workspace or temp path, or the reputation of the download target. That stops a known agent doing ordinary work from generating alerts.
Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating Credential Manager does not become safe because an agent did it instead of a person, and an agent should not inherit blanket access to credential stores just because it runs under a trusted user. If the noise comes from Claude Code's --dangerously-skip-permissions mode, disable that mode through managed settings.
Sophos calls this an early read, not a verdict, and notes the shift is still small even if the direction is clear. The open policy question is what a coding agent should be allowed to touch on an endpoint at all, and credential stores are a sensible place to draw the first line.






