Sophos: AI Coding Agents Trip Attacker Security Rules

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Sophos analyzed 7 days of June 2026 endpoint telemetry and found AI coding agents (Claude Code, Cursor, OpenAI Codex) triggered security rules built to catch human intruders; credential access made up 56.2% of blocked activity and execution 28.8%.
- The top credential-access rule (42.6% of that group) fired on Windows DPAPI browser credential decryption — caught running under Claude Code via GStack's /browse skill during ordinary browser automation.
- Anthropic's --dangerously-skip-permissions flag was observed in use, with the agent shutting down the browser and pulling credential-store data — a mode Anthropic's own documentation warns administrators to block.
- OpenAI Codex demonstrated pivot-when-blocked behavior, first trying certutil then switching to bitsadmin to fetch a Python installer from python.org — both legitimate Windows utilities attackers routinely abuse.
- Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script that would run at every boot, the kind of behavior defenders flag on sight.
- Sophos recommends defenders scope rules by parent process (claude.exe, cursor.exe) to suppress ordinary agent noise, while holding the line on credential-touching behavior and calling credential stores the sensible first policy boundary.
Why it matters: CrowdStrike found 82% of 2025 detections were malware-free, which is why defenders rely on behavioral signals. AI agents now generate the same credential-dumping, LOLBin-fetching behavior for ordinary dev work — security teams must scope rules by parent process and keep credential stores locked down regardless of who triggers the access.




