AI Coding Agents Trigger Endpoint Security Rules by Mimicking Attacker Behavior
Sophos researchers observed AI coding agents like Claude Code and Cursor inadvertently triggering endpoint security alerts by performing actions that resemble malicious activity.

Security researchers at Sophos have identified a growing trend where artificial intelligence (AI) coding agents are inadvertently triggering endpoint security detection rules. Tools such as Claude Code, Cursor, and OpenAI Codex, while not malicious themselves, are performing actions that closely mimic the behavior of human attackers. These actions include decrypting browser credentials, accessing sensitive Windows credential stores, and downloading files using legitimate system utilities, all of which are high-signal indicators for security systems designed to detect intrusions.
The analysis, based on a week of telemetry from Sophos's behavioral engine, revealed that a significant portion of blocked activity involved credential access (56.2%) and code execution (28.8%). A primary trigger for these alerts was the use of Windows' Data Protection API (DPAPI) to decrypt stored browser credentials, a function employed by AI agent skill packs like GStack for browser automation. To the detection engine, this activity is indistinguishable from credential theft.
Further examples highlight the deceptive nature of these AI agents' operations. In one instance, Claude Code was observed shutting down a running browser to access its credential store and enumerating Windows Credential Manager entries. Notably, this occurred while Claude Code was running with the --dangerously-skip-permissions flag, a setting Anthropic itself warns against. OpenAI Codex also exhibited attacker-like behavior by attempting to download a Python installer using legitimate but often abused Windows utilities like certutil and bitsadmin, pivoting to a different method when one was blocked.
This pivot-when-blocked behavior, a hallmark of live attackers adapting their tactics, is now being replicated by benign AI agents. Similarly, Cursor triggered a persistence rule by creating a script in the startup folder, a common technique for ensuring malware runs automatically upon system boot. While the script's exact function was unknown, its placement outside of a trusted installer flagged it as suspicious to security monitoring tools.
The implications of AI agents generating such activity are significant, especially in the context of evolving threat landscapes. CrowdStrike's 2026 Global Threat Report indicated that 82% of detections in 2025 were malware-free, with attackers increasingly relying on valid credentials and legitimate tools. AI agents, by performing similar actions for legitimate development purposes, are now contributing to this noise, potentially overwhelming security teams and making it harder to distinguish between benign automation and actual threats.
Sophos suggests that defenders need to adapt their detection strategies. This includes splitting rules to differentiate between agent noise and genuine threats, potentially by analyzing the parent process, workspace paths, or download reputations. However, actions involving credential access, such as decrypting browser data or enumerating credential stores, should remain strictly policed, regardless of whether an agent or a human performs them. Disabling risky modes like --dangerously-skip-permissions is also recommended.
This trend underscores a broader shift in how security intrusions are detected, moving from file-based detection to behavioral analysis. As AI coding agents become more integrated into development workflows, their actions will increasingly blur the lines between legitimate activity and malicious behavior, posing a new challenge for endpoint security solutions. The open question for defenders is defining the appropriate boundaries for what AI coding agents should be permitted to access on an endpoint, with credential stores being a critical area of concern.