Your AI Coding Assistant Just Triggered a Security Alert. Don’t Panic — It’s Trying to Help.
If your endpoint protection software starts lighting up while you’re using Claude Code or Cursor, there’s a good chance it’s not a breach. It’s your AI assistant trying to do its job — and looking exactly like an attacker while doing it.

Sophos X-Ops published a fascinating analysis this week drawn from seven days of real endpoint telemetry. The takeaway is both reassuring and unsettling: AI coding agents are triggering detection rules that were written to catch human attackers. Not because they’re malicious, but because the things they do — decrypting browser credentials, downloading files with system tools, writing to startup folders — overlap almost perfectly with adversary behavior.
This isn’t a bug report or a vulnerability disclosure. It’s a glimpse at what happens when a new class of software lands in an environment where “normal” was defined by a very different set of tools.
What the Numbers Actually Say
Sophos looked at blocking rule hits from its behavioral engine across a seven-day window in June 2026. The headline figures: credential access accounted for 56.2% of blocked agent activity, and execution accounted for 28.8%. The rest was spread across persistence, defense evasion, and something Sophos calls “Disrupt” — low-reputation executables that Adaptive Attack Protection blocked.
Let me break that down because the split matters. More than half of what these agents got stopped for had to do with touching credentials. The single biggest rule, at 42.6% of the credential-access group, fires when a process uses Windows’ Data Protection API (DPAPI) to decrypt browser-stored login data.
Here’s where it gets interesting. That rule was catching GStack’s /browse skill — a widely used skill pack that connects an AI agent to a Chromium instance for browser automation. To do that, it legitimately needs to decrypt saved browser credentials. From the behavioral engine’s perspective, that’s credential theft. From the developer’s perspective, it’s “I asked the agent to log into that dashboard for me.” Both are right. If you’re thinking about how to lock down your supply chain when AI writes your code, this is exactly the kind of ambiguity you need to plan for.
The execution category tells a similar story. Agents reach for certutil.exe and bitsadmin.exe — both legitimate Windows utilities — to download files. Attackers have used these exact same “living off the land” binaries for years. Sophos even documented one sequence where Codex tried certutil first (blocked), then immediately pivoted to bitsadmin (also blocked). The target was python.org. The behavior was indistinguishable from an attacker cycling through download methods.
When Benign Looks Exactly Like Malicious
This is the core problem, and it’s deeper than “tune the rules.” Behavior-based detection became the standard because attackers stopped dropping custom malware and started using valid credentials and trusted tools. CrowdStrike’s 2026 Global Threat Report found that 82% of detections in 2025 were malware-free — attackers simply logging in with stolen credentials and running built-in OS utilities.
Detection engineers responded by watching for the behavior itself: who’s decrypting browser credentials, who’s running certutil to fetch a remote file, who’s writing to the startup folder outside a trusted installer. That shift was the right move against human attackers. But AI agents now generate the exact same signals for entirely legitimate reasons.
Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script. The script related to something called “EZConvert,” and Sophos couldn’t confirm intent without seeing the contents. But the point isn’t what that script did — it’s that a coding agent writing to the startup folder is behavior that has always meant “someone is establishing persistence.” Now it sometimes means “the agent is setting up a tool the developer asked for.” It’s the same kind of trust boundary problem I explored when I wrote about phantom squatting — when AI hallucinated domains get weaponized against you.
The behavioral engine is doing exactly what it was built to do. The problem is that “normal” has changed, and the rules haven’t caught up.
The Other Side of the Coin
What makes this moment especially tricky is that AI agents aren’t just setting off false alarms. Attackers are using them too. A month earlier, Sophos documented an attacker who used Claude Opus 4.5 to coordinate the development of custom malware that evaded EDR products. And in a separate case, researchers showed AI coding agents could be tricked into running attacker code through poisoned inputs — a technique that bypasses endpoint protection because the code runs inside the user’s trusted session.
Then there’s the GhostApproval vulnerability that Wiz published this week. Six popular AI coding assistants — Amazon Q Developer, Claude Code, Cursor, Augment, Google Antigravity, and Windsurf — failed to check symbolic links before writing files. A malicious repo could trick the agent into overwriting your SSH authorized_keys or shell startup file while the approval box shows only the harmless-looking symlink name. Three vendors have fixed it. Anthropic disputes that it’s even a bug. This follows the Alibaba ban on Claude Code over backdoor fears — the broader tension around trusting these tools keeps escalating.
So on one side, you have benign agents that look like attackers. On the other, you have attackers using agents that look like developers. The behavioral signal is breaking in both directions.
What This Means for Your Workflow
If you’re running Claude Code, Cursor, Codex, or any agentic coding tool on a company-managed machine, expect endpoint rules to fire. That doesn’t mean stop using them — it means your security team needs to know they’re coming.
Sophos’s own recommendation is sensible: split the rules by context. Execution noise from an agent retrying a download in a known workspace path can usually be scoped and quieted. Credential-touching behavior is where you hold the line. Decrypting browser credentials or enumerating Credential Manager doesn’t become safe just because an agent did it. And if the agent runs with --dangerously-skip-permissions — yes, that’s a real flag that Anthropic’s own documentation warns against — disable that mode through managed settings.
A few practical things I’d add from experience running these tools myself — and I’ve seen better models sometimes make for worse tools when the assumptions don’t match:
- Run agents in containers or sandboxes. If the agent doesn’t have access to your browser credential store, it can’t trigger the DPAPI rule in the first place. Docker or WSL sandboxing works well for this.
- Watch your startup folder and shell config files. After an agent session in an unfamiliar repo, check
~/.zshrcand~/.ssh/authorized_keysfor unexpected changes. Wiz’s GhostApproval research is a concrete reminder that “trust the repo” is no longer safe default behavior. - Talk to your security team. If EDR alerts spike when developers run AI coding tools, that’s not a misconfiguration — it’s a signal that your detection rules need an AI-agent baseline. Sophos’s dataset is a good starting point for that conversation.
The Bigger Picture
What Sophos has documented here is early — seven days on one vendor’s fleet, not a definitive industry census. But the direction is clear. We’re entering a phase where the tools we trust to help us code are becoming indistinguishable from the tools attackers use to break in. That doesn’t make the tools dangerous. It makes the old way of detecting danger obsolete.
The open question — and it’s one that security teams, AI tool vendors, and developers all need to answer together — is what an AI coding agent should be allowed to touch on an endpoint. Credential stores are the obvious first line. But as these agents get more capable and more autonomous, the list of things they shouldn’t need to touch will keep shrinking. We’re already seeing the consequences of trusting algorithms with decisions they weren’t designed to make, and this feels like the same pattern in a different domain.
For now, the advice is simple: use the tools, but know what they look like from the outside. Your EDR is not broken. It’s just seeing something it’s never seen before — a helpful tool that behaves exactly like a threat.