The Sound That Shouldn't Have Been There
It was 2:47 PM on a Tuesday when the alert lit up the security operations console. RED: Credential Theft — DPAPI Decryption Detected. The endpoint team braced for a containment drill. By the time someone traced the source, the culprit had already confessed. It wasn't a hacker. It was Claude Code, doing what a developer had asked it to do five minutes earlier.
This scene is playing out across more engineering teams than anyone is ready to admit. And according to fresh telemetry from Sophos, it's not an edge case — it's a pattern.
The Alarms That Can't Tell Friend from Foe
Sophos looked at a week's worth of its own Windows endpoint data from June 2026, counting unique machines where behavioral detection rules fired. The results reveal an uncomfortable truth: the same behavior that defenders spent years learning to treat as a sure sign of intrusion is now being generated, in bulk, by legitimate coding agents.
Of all the blocked activity Sophos catalogued, 56.2 percent fell under credential access — agents reaching for stored secrets the way a human intruder would. Another 28.8 percent was execution flags: agents running code in ways that look an awful lot like a live attacker.
The biggest single rule, accounting for 42.6 percent of credential-access hits, fires when a process uses Windows' Data Protection API (DPAPI) to decrypt browser-stored credentials. The agent behind it? The widely adopted GStack skill pack, whose /browseskill runs perfectly normal PowerShell that calls DPAPI to unlock saved browser data on behalf of the user. To Sophos, it's credential theft. To the developer, it's just Tuesday.
Three Things That Set Agents Apart from Attackers (But Look the Same)
- Pivot-when-blocked behavior. OpenAI Codex tried downloading a Python installer using
certutil. Blocked. So it switched tobitsadmin. Both are legitimate Windows tools. Both are also staples of living-off-the-land attack chains. The target was harmless. The pattern was identical to an adversary under pressure. - Credential enumeration. In one instance, Claude Code ran
cmdkey /listto enumerate everything in Windows Credential Manager. This is something intruders do to escalate privileges. In this case, Claude was running with its--dangerously-skip-permissionsflag active — a mode Anthropic's own documentation explicitly warns against. - Persistence via startup folders. Cursor triggered a detection by using PowerShell to drop a script into the user's startup folder. The script would run on every boot. Sophos could not confirm what it did, but writing to startup outside a trusted installer is something defenders flag without a second thought.
The Signal Problem No One Designed For
Here's the crux: security teams spent the last decade training detection engines to watch for exactly this behavior because malware-free intrusions — the kind that use valid credentials and legitimate tools instead of dropped files — now account for 82 percent of all detections, according to CrowdStrike's 2026 Global Threat Report. Behavioral detection was the answer to that shift.
Then coding agents showed up and started generating the same signal for completely benign reasons.
Sophos also noted the mirror image of this problem: a month earlier, the same researchers documented an attacker using AI agents — including Claude Opus 4.5 — to build and test malware against EDR products. That was development-time: agents helping an attacker write better tools. And in a separate chain, researchers showed a coding agent could be tricked into running attacker code through poisoned inputs, slipping past defenses because the agent acts inside the user's trusted session.
Now you have three categories generating identical telemetry: benign agents doing normal work, attacker-operated agents building malware, and hijacked agents running compromised code. The detection engine sees one signal. The context is everything — and context is exactly what a behavioral rule lacks.
What This Means for Developers
If you run coding agents under your own account — and most developers do — expect your endpoint protection to fire on your machine. Sophos's recommendation is defensive segmentation: split detection rules so that execution noise from an agent retrying a download or emitting oddly formatted PowerShell gets scoped differently from the same actions performed by an unknown binary.
But that's a patch, not a solution. The deeper truth is that the industry needs a new layer of trust signaling — something that tells a detection engine 'this credential-access call came from an agent acting on behalf of a logged-in user, not a process injected by an adversary.' We don't have that layer yet.
Until we do, the alert at 2:47 PM on a random Tuesday isn't going anywhere. The only question is whether the person responding to it can tell the difference between a coding assistant doing its job and a real breach slipping through the noise.
Comments