Your security tool just blocked Claude Code. Or Cursor. Or Codex.
Not because the agent is malware. Because the agent did something that looks like malware: decrypt browser credentials, enumerate Windows Credential Manager, retry a download with certutil then bitsadmin, or drop a script in the startup folder.
That is the uncomfortable finding from Sophos X-Ops in early July 2026: AI coding agents are colliding with endpoint behavioral detections built for human attackers. The agents are usually innocent. The detections are still doing their job.
If you ship with agentic tools every day, this is not a "security team problem." It is a production agent workflow problem.
What Sophos actually measured
Sophos analyzed seven days of June 2026 telemetry from its CIXA behavioral engine on Windows, counting unique machines, not raw event spam. It is one vendor's fleet, not a global census — and still directionally important.
Of blocking rule hits tied to AI agents:
| MITRE-ish bucket | Share of blocked agent activity |
|---|---|
| Credential Access | 56.2% |
| Execution | 28.8% |
| Other (incl. "Disrupt" / AAP) | remainder |
The Hacker News summary of the same research puts the picture in plain English: credential access and execution dominate because agents reach for secrets and run code the way attackers do.
That matches the broader shift already underway. CrowdStrike's 2026 Global Threat Report noted that 82% of 2025 detections were malware-free — attackers living off valid credentials and trusted tools. Behavioral engines got good at spotting that pattern. Now coding agents generate the same pattern for ordinary developer work.
The behaviors that look like attacks
Sophos and coverage around it call out concrete, recognizable agent patterns:
1) Browser credential decryption (DPAPI)
The single biggest credential-access rule (~42.6% of that group) fires when a process uses Windows DPAPI to unlock browser-stored credentials.
Sophos flags GStack as a widely used skill pack. Its /browse skill runs PowerShell that decrypts saved browser data so the agent can automate login-ish tasks. Under Claude Code, that is almost certainly "help me use the browser." To EDR, it is credential theft — and the rule is correct to fire.
In another example, Claude Code shut down a running browser and pulled credential store data via Python. Separately, it ran cmdkey /list to enumerate Windows Credential Manager. Sophos also notes cases where Claude Code was running with --dangerously-skip-permissions — a mode Anthropic documents as risky and that orgs can block with managed settings.
2) Living-off-the-land downloads (LOLBins)
OpenAI Codex tried to fetch a Python installer from the real python.org using certutil. When blocked, it pivoted to bitsadmin. Both are legitimate Windows utilities. Both are classic attacker tools for payload retrieval. The pivot-when-blocked loop is what makes agents feel like hands-on-keyboard adversaries instead of static scripts.
3) Persistence-shaped writes
Cursor tripped a persistence rule by using PowerShell to drop a startup-folder script. Even when the intent is benign automation, writing outside a trusted installer path is something defenders flag on sight.
None of this requires the agent to be "evil." It only requires the agent to be autonomous enough to try the next tool when the first one fails — which is exactly what makes modern coding agents useful. I wrote about that competitive shift in The Real AI War of 2026 Isn't Chatbots. It's Coding Agents.
Agents on both sides of the line
The same surface is already dual-use:
- Sophos previously documented attackers using AI agents (including Claude Opus-class coordination) to build and test malware against EDR products.
- Separate research has shown coding agents can be tricked into running attacker code ("agentjacking") through poisoned inputs — often inside a trusted user session, which is exactly where EDR is least comfortable yelling.
So defenders now see browser-cred calls, LOLBin downloads, and startup writes from:
- Benign coding agents doing real work
- Attacker-operated agents building tools
- Hijacked agents acting under a developer's identity
The raw action alone tells you less than it used to.
What actually works after the demo
Here is the practical playbook I would ship with any team running Claude Code, Cursor, Codex, or local harnesses like OpenClaw + Ollama.
1) Split "noise" from "never allow"
Sophos's guidance maps cleanly to agent ops:
| Category | Example | Policy instinct |
|---|---|---|
| Execution noise | Retrying downloads, weird PowerShell shape, low-rep installer from a known good origin | Scope/allowlist by parent process (claude.exe, cursor.exe, children), workspace/temp path, and download reputation |
| Credential hard line | DPAPI browser decrypt, Credential Manager enumeration | Do not blanket-trust because an agent did it. Deny by default. Require explicit, audited skill/tool grants |
| Persistence | Startup folder writes, autorun changes | Block unless the agent is in a dedicated sandbox VM/profile |
2) Kill dangerous permission modes in managed settings
If noise traces back to Claude Code's --dangerously-skip-permissions, turn it off org-wide. Anthropic's own Claude Code security docs emphasize permission-based architecture, sandboxed bash, working-directory boundaries, and managed settings for teams. Use them. Do not run production agent fleets in "just approve everything" mode because the demo felt fast.
Hooks and hard constraints still matter more than vibes. Soft prompts will not stop a skill pack from calling DPAPI.
3) Give agents a smaller blast radius
Run high-agency sessions where:
- The agent has no access to personal browser profiles
- Secrets live in a vault / env injector the agent cannot dump wholesale
- Network is allowlisted (package registries, docs, your APIs — not the open web by default)
- Writes are limited to a project worktree or cloud sandbox
Cloud agent sandboxes (Claude Code on the web style isolation, remote sandboxes, worktrees) exist for this reason. Local "full user rights" agents are convenient and also the reason EDR is screaming.
4) Treat skill packs as supply chain
GStack's /browse skill is a perfect example: a useful automation that inherits a high-signal detection. Before you install community skills/MCP tools:
- Read what shell they run
- Prefer skills that use official browser automation APIs over credential-store scraping
- Pin versions and review diffs when skills update
This is the same hygiene as npm packages — only the failure mode is "security page-out at 2am," not just a broken build.
5) Pair agent adoption with SOC runbooks
Tell security before you roll out fleet-wide coding agents:
- Expected parent processes and install paths
- Expected package managers and download origins
- Which machines are "agent workstations" vs. high-value production admins
Otherwise every Claude session becomes a mini incident. Model upgrades like Claude Sonnet 5 and broader work-agent surfaces will only increase session volume.
The real policy question
Sophos frames it cleanly: this is an early read, not a verdict that agents are broken. The open question is simpler and harder:
What should a coding agent be allowed to touch on an endpoint at all?
Credential stores are a sane first red line. Startup persistence is another. Autonomous LOLBin pivots after a block are a third — useful for agents, high-signal for attackers.
If your team only optimizes for "agent completes the ticket," you will keep training EDR to ignore attacker-shaped behavior. If you only optimize for zero false positives with naive allowlists, you will open a hole for agentjacking and attacker-driven agents.
The winning posture is boring:
- Least privilege by default
- Scoped allowlists for known agent parents
- Hard denies for credential and persistence primitives
- Human review for anything that looks like living-off-the-land
That is not anti-agent. It is how agents survive contact with real enterprise endpoints.
Quick checklist you can paste into your team wiki
- [ ] Inventory agent binaries and skill packs on developer machines
- [ ] Disable skip-permissions / YOLO modes via managed policy
- [ ] Block agent access to browser credential DBs and Credential Manager
- [ ] Prefer sandbox/worktree/cloud execution for long autonomous runs
- [ ] Give SOC parent-process + path allowlist guidance before the alert storm
- [ ] Review MCP servers and community skills like third-party code
- [ ] Measure cost and risk per completed outcome, not just tokens (see the broader agent economics angle in the coding-agent race notes)
Bottom line
Coding agents did not suddenly become malware. Endpoint detections did not suddenly become wrong.
Agent autonomy now overlaps the behavioral signature of intrusion. That is a systems design problem for anyone serious about agentic software engineering in 2026.
Ship the agent. Also ship the blast radius.
Sources
- Sophos X-Ops — When AI agents look like attackers: what behavioral telemetry tells us
- The Hacker News — AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
- Cyber Security Intelligence summary of the Sophos findings
- Sophos — Pointing a Cursor at Evading Detection
- CrowdStrike 2026 Global Threat Report
- Claude Code Security documentation
- The Hacker News — Agentjacking coverage
Discussion: Has your team's EDR/XDR already started paging on Claude Code, Cursor, or Codex? What did you allowlist — and what did you hard-block?
Top comments (0)