AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers

AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
Sophos found that AI coding agents like Claude Code, Cursor, and OpenAI Codex are triggering endpoint detections because their normal actions resemble attacker behavior, including credential access, downloads, and persistence attempts. The report shows that defenders need to distinguish between harmless automation and risky actions, especially around browser credentials and Windows Credential Manager. #ClaudeCode #Cursor #OpenAICodex #DPAPI #WindowsCredentialManager

Keypoints

  • AI coding agents are triggering behavioral detections on Windows endpoints.
  • Credential access made up most of the blocked activity in Sophos’s data.
  • Claude Code was seen decrypting browser data and listing saved credentials.
  • OpenAI Codex used living-off-the-land tools like certutil and bitsadmin.
  • Cursor triggered a persistence rule by writing a script to the startup folder.

Read More: https://thehackernews.com/2026/07/ai-coding-agents-found-triggering.html