Sophos found that AI coding agents like Claude Code, Cursor, and OpenAI Codex are triggering endpoint detections because their normal actions resemble attacker behavior, including credential access, downloads, and persistence attempts. The report shows that defenders need to distinguish between harmless automation and risky actions, especially around browser credentials and Windows Credential Manager. #ClaudeCode #Cursor #OpenAICodex #DPAPI #WindowsCredentialManager
Keypoints
- AI coding agents are triggering behavioral detections on Windows endpoints.
- Credential access made up most of the blocked activity in Sophos’s data.
- Claude Code was seen decrypting browser data and listing saved credentials.
- OpenAI Codex used living-off-the-land tools like certutil and bitsadmin.
- Cursor triggered a persistence rule by writing a script to the startup folder.
Read More: https://thehackernews.com/2026/07/ai-coding-agents-found-triggering.html