Every endpoint security tool watches for a short list of tells: a process quietly decrypting stored passwords, a browser killed right before its files get read, an installer pulled through a tool nobody legitimate normally touches. Those tells are how antivirus software has long caught intruders. A week of Windows telemetry collected in June 2026 by Sophos X-Ops found that Claude Code, Cursor and OpenAI Codex now trip those exact same rules, routinely, while doing nothing more than their job. Credential-access rules made up 56.2% of the blocking-rule hits Sophos counted across its monitored machines, execution rules another 28.8%. The single biggest trigger, worth 42.6% of all credential-access hits alone, watches for Windows DPAPI calls that decrypt browser-saved passwords — precisely what a coding agent’s browser-automation skill does to keep a session logged in, and precisely what an infostealer does to steal one.
The rule that can’t tell automation from theft
That collision isn’t an accident of overlapping code paths; it’s structural. A coding assistant that can drive a browser needs the same access an infostealer needs, because both are, at the operating-system level, a process reading credentials it didn’t type in itself. Sophos is careful about what this does and doesn’t prove: the detections show “existing behavioral protections are working exactly as designed,” and none of the flagged sessions in its sample turned out to be compromises. Independent coverage from GBHackers confirms the pattern maps onto MITRE ATT&CK’s Execution and Credential Access categories, and names the underlying cost: legitimate AI tool use is “complicating triage processes,” because tools long treated as strong compromise indicators are now everyday developer behavior, and someone still has to review every alert.
Codex swapped tools mid-task, the way an intruder would
More unsettling than the raw percentages is what GBHackers and Sophos documented Codex doing once a control actually stopped it. Blocked from downloading a Python installer through certutil.exe, it pivoted to bitsadmin.exe, a second Windows utility that does roughly the same job through a different door. A static script doesn’t do that when it hits a wall; an adversary probing for the path nobody is watching does. Sophos’s own conclusion is blunt: “the fact that an AI agent did them does not make them safe.” Whether or not any given session is malicious, the agent’s behavior gives an analyst no reliable way to tell the difference from outside, which is exactly why these detections keep firing.
At the operating-system level, a productive coding agent and a credential thief now look the same.
Why this isn’t proof the agents are dangerous
The honest complication is that Sophos never claims otherwise. Nothing in its dataset shows an agent going rogue; it shows detection engineering doing its job against tools it wasn’t trained on yet, and mature security teams have always had to widen their baselines as legitimate software changes shape. The real hinge is prompt injection, which Help Net Security reports OWASP now maps to six of its ten agentic-application risk categories, because large language models process a system prompt, a user’s request and scraped web text as one undifferentiated stream of tokens, with no built-in way to mark some of it command and some data. Benign browser automation only turns dangerous once injected text can steer it — a risk of degree, not certainty, since nobody has shown it happening at scale outside a lab. What’s changed is how little now stands between a compromised prompt and an actual breach.
Removing the checkpoint at the exact wrong moment
That is what makes GitHub’s timing land badly. Its new Autopilot mode for Copilot CLI, shipped the same weeks as the Sophos findings, means “All tool calls are auto-approved” and it “auto-responds to clarifying questions so it can continue iterating until the task is complete.” That second clause is the one worth sitting with: the agent no longer just acts without asking, it answers its own questions before it acts, closing the one moment a human might have caught something off. For a developer, the choice this leaves is a bad one: endure an EDR that keeps interrupting a legitimate workflow with false alarms, in the same way work once checked by humans keeps quietly relocating, or whitelist behavior that is, by design, indistinguishable from an attack, and run it with nobody watching. Either path treats a genuinely unresolved question as if it were already settled, and the tools shipping fastest are the ones betting it is.



