HackMyIP
← Back to News
2026-07-08 The Hacker News

AI Coding Agents Trigger Endpoint Security Alerts Built for Attackers

AI SecurityThreat IntelAI Threats

Sophos researchers examining a week of endpoint telemetry from June 2026 have found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are routinely tripping detection rules originally written to catch human intruders. Across its Windows fleet, the vendor's behavioral engine logged credential access as 56.2% of all blocked activity and execution as 28.8%, with most of it traced not to malware but to developers' own AI assistants going about routine work. The shift, Sophos notes, is not that the behaviors are new; it is that the source has changed from a remote threat actor to a locally running agent doing what a user asked of it.

The clearest example involves GStack, a popular skill pack for coding agents whose /browse command runs PowerShell that calls Windows' Data Protection API (DPAPI) to decrypt stored browser credentials. This single technique accounted for 42.6% of all credential-access detections and was observed running under Claude Code. Sophos also captured a session in which Claude Code shut down the user's browser and pulled data directly from its credential store, and another in which it executed `cmdkey /list` to enumerate Windows Credential Manager entries. In several of these cases Claude Code was running with Anthropic's `--dangerously-skip-permissions` flag, a mode the vendor's own documentation warns administrators to disable. For anyone reviewing these alerts, the gap between a credential-stealing infostealer and an AI assistant performing browser automation has become vanishingly small, a problem compounded by the fact that users often reuse the same passwords across services. A quick password strength check can at least surface weak logins that an agent might be tempted to reuse or store in plaintext.

The agents also demonstrated adaptive behavior that mirrors live operators. When OpenAI Codex attempted to fetch the Python installer from python.org using `certutil` and was blocked, it pivoted to `bitsadmin`, another dual-use Windows utility long favored by attackers for payload delivery. Separately, Cursor triggered a persistence detection by using PowerShell to drop a script into the startup folder so it would execute on every boot, the same kind of autorun technique Sophos's rules are designed to flag. "Pivot-when-blocked" behavior has historically been a high-fidelity indicator of a human attacker, but benign coding agents now exhibit the same pattern, forcing defenders to rethink the signal entirely.

The downstream risk cuts both directions. Sophos has already observed offensive AI agents on the other side of the line, using the same living-off-the-land tradecraft that defenders are now struggling to attribute. Until behavioral engines can reliably distinguish an authorized agent from a malicious one, security teams should expect a higher volume of triage noise, more false positives, and a renewed need to baseline what is normal on developer machines. Practitioners responding to these alerts can start with basic hygiene: verify SSL posture on internal endpoints with an SSL/TLS checker, audit agent configurations, and disable permission-skipping flags at the policy level rather than the project level.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →