Sophos Says AI Coding Agents Are Tripping Endpoint Defenses Meant for Intruders
Sophos has reported that several popular AI coding assistants are generating endpoint activity that resembles attacker behavior closely enough to trigger security controls designed for intrusion detec...
Sophos has reported that several popular AI coding assistants are generating endpoint activity that resembles attacker behavior closely enough to trigger security controls designed for intrusion detection.
After reviewing one week of telemetry from its Windows behavioral engine in June 2026, the company said tools such as Claude Code, Cursor and OpenAI Codex were repeatedly involved in actions commonly associated with credential theft, persistence and living-off-the-land abuse. Sophos emphasized that the agents were not malicious, but that their normal workflows can overlap with techniques defenders typically treat as suspicious.
What the detections showed
The largest share of blocked activity involved credential access, followed by execution-related behavior. In one example, a coding agent used PowerShell and the Windows Data Protection API to access browser-stored credentials, a pattern that security tools often flag as an attempt to steal secrets. Sophos said this appeared to be part of browser automation rather than an attack.
Other cases looked more like classic adversary tradecraft. Claude Code was observed shutting down a browser, querying Windows Credential Manager with cmdkey /list, and operating in a mode that bypasses some permission checks. OpenAI Codex, meanwhile, attempted to download Python using legitimate Windows utilities after an initial method was blocked, then switched to another built-in tool. Cursor also triggered a persistence rule after writing a script into the startup folder.
Why defenders are paying attention
Sophos noted that these alerts matter because attackers increasingly rely on trusted system tools and valid credentials instead of obvious malware. In that environment, the same actions can come from a malicious operator, a compromised agent, or a legitimate AI assistant carrying out a developer’s request.
- Credential-store access should remain tightly controlled, even for trusted AI tools.
- Benign execution noise can often be reduced by scoping rules to known agent processes or work paths.
- Administrators should disable risky modes such as Claude Code’s permission-bypass option where possible.
The company described the findings as an early signal rather than a broad industry verdict, but said they raise an important policy question: how much access should coding agents have on an endpoint before they start to resemble the threats security products were built to stop?
