Skip to main content
Cybersecurity

AI Coding Agents Trigger Endpoint Security Rules Meant for Attackers

Developer workstation with laptop and coding tools, subtle security presence hinted at with blurred software interface and…

56.2 percent of the blocked activity Sophos recorded in a week of June 2026 telemetry involved attempts to access credentials — and much of that activity came from developer coding assistants, not intruders.

Sophos behavioral engine (seven days, June 2026)

Sophos examined seven days of its own Windows endpoint telemetry from June 2026, counting events by unique machines rather than raw event volume. That narrow window, taken from one vendor's fleet, showed credential-access behaviors accounted for 56.2 percent of the blocked activity and execution behaviors 28.8 percent. Sophos explicitly frames these findings as an early read on a small but clear direction, not an industry census.

GStack /browse skill and DPAPI browser decrypts

The single largest detection within the credential-access group — 42.6 percent of that subset — triggered when a process invoked Windows' Data Protection API (DPAPI) to decrypt stored browser credential data. Sophos identified GStack as a widely adopted skill pack for coding agents; its /browse skill runs PowerShell that calls DPAPI to unlock saved browser data. On the machines Sophos watched, that activity often appeared under Claude Code and, in context, was likely browser automation performed for the user. To the behavioral detection engine, however, DPAPI calls to extract browser-stored credentials read the same way as credential theft, and the rule fired accordingly.

Claude Code's permission-skipping examples and cmdkey enumeration

Sophos described additional examples where Claude Code shut down a running browser and ran a script that pulled data from the credential store. In a separate instance the agent ran cmdkey /list to enumerate entries held by Windows Credential Manager. Sophos noted Claude Code had been run with a --dangerously-skip-permissions flag in that case — a mode Anthropic's documentation warns against and that administrators are instructed how to block. Sophos's point: credential-touching behavior remains high signal and should not be made broadly permissive simply because an agent is automating a developer's tasks.

OpenAI Codex, LOLBins and Cursor persistence writes

Other observed agents showed the pivoting behavior defenders associate with live intruders. OpenAI Codex fetched a Python installer from python.org, starting with certutil to pull the file; when that was blocked it retried with bitsadmin. Both certutil and bitsadmin are legitimate Windows utilities attackers commonly abuse to fetch payloads — so-called living-off-the-land binaries (LOLBins) — and the agent's switching behavior mirrors how a live intruder adapts when a download is blocked. Separately, Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script intended to run at boot. Sophos could not confirm what that script did, but it flagged the write because writing to startup outside a trusted installer is a classic persistence technique.

Claude Opus 4.5, poisoned inputs, and the attacker-side use of agents

The overlap between benign and malicious use of agents is already visible. Sophos documented, a month earlier, an attacker who used AI agents to build and test malware against endpoint detection and response (EDR) products; one agent in that case ran Claude Opus 4.5 to coordinate the work. Researchers also demonstrated that a coding agent can be tricked into running attacker-provided code through poisoned inputs, a chain that can bypass EDR because the agent executes inside the user's trusted session. The result: browser credential calls, LOLBin downloads, and startup writes can originate from benign developer assistants, attacker-run agents, and hijacked agents alike.

What this means for defenders, developers, and attackers

  • Defenders: Expect noise on developer machines where coding agents run under user accounts. Sophos recommends splitting detection rules by what they catch — for example, keying rules to the agent's parent process (claude.exe, cursor.exe, and their child processes), workspace or temporary paths, or the reputation of the download target — so known benign agent activity can be scoped without blinding protection to credential theft.
  • Developers: Credential-touching actions — decrypting browser credentials or enumerating Credential Manager — remain a sensible line to hold. Sophos specifically calls out disabling or managing modes like Claude Code's --dangerously-skip-permissions through managed settings to avoid granting agents blanket access to credential stores.
  • Attackers: The same adaptive behaviors that make agents useful to legitimate users — trying alternative download methods, dropping startup scripts, probing credential stores — also make them valuable when repurposed for offensive work, as seen in Sophos's EDR-testing example and the poisoned-input research.

Sophos frames this as an early but clear shift: behavioral signals defenders relied on are being generated by benign automation as well as by attackers. CrowdStrike's 2026 Global Threat Report, cited by Sophos, found 82 percent of 2025 detections were malware-free, underscoring a broader move to credential and living-off-the-land techniques. The policy choice Sophos leaves open is explicit: what should a coding agent be allowed to touch on an endpoint? The vendor suggests credential stores are a sensible first line.

Read the original Sophos analysis at thehackernews.com — AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers.