Claude Code, Cursor, and Codex Trigger Active Cyberattack Alerts

New telemetry research reveals that top AI tools like Claude Code, Cursor, and OpenAI Codex are triggering severe endpoint security alerts by mimicking human hacker tactics.
Image Credit / Cyber Security News

Behavioral security research reveals autonomous AI coding assistants are heavily tripping EDR alerts by unintentionally using active hacker techniques.

In an ironic twist that highlights the shifting baseline of enterprise technology, the very autonomous software systems engineered to streamline software development are introducing unprecedented friction into corporate defense perimeters. Formally disclosed by security researchers on Thursday, July 9, 2026, comprehensive behavioral analysis has confirmed that leading AI-powered coding assistants are systematically triggering high-severity alerts inside Endpoint Detection and Response (EDR) platforms. The alarming data reveals that tools like Anthropic’s Claude Code, the Visual Studio Code fork Cursor, and OpenAI’s Codex function so autonomously that their routine operations closely mimic the exact Tactics, Techniques, and Procedures (TTPs) deployed by human threat actors, fundamentally confusing security information event management networks.

The baseline behavioral telemetry was captured during a comprehensive seven-day tracking window in late June 2026 by researchers at Sophos X-Ops. The real-world Windows endpoint datasets targeted network nodes inside enterprise operations where software engineers frequently leverage AI agents to automate codebase management. What the researchers discovered was not a malicious supply-chain compromise, but rather a structural reality: when an engineer grants an AI assistant broad administrative leeway to build, test, and troubleshoot local files, the tool’s automated code loops begin executing commands that look identical to a live, hands-on-keyboard network intrusion.

The core motivation behind these security falsities is rooted in how advanced AI software attempts to resolve environment bugs and automate browser tasks without human intervention. According to the investigation published by Sophos, one of the most persistent issues stemmed from Claude Code’s native /browse feature. When tasked with debugging or gathering application context, the agent initiated a localized chain of processes that invoked PowerShell to access the Windows Data Protection API (DPAPI) and decrypt browser-stored credentials. To an EDR engine, this behavior matches the signature of credential-stealing malware exactly. Furthermore, when users ran these utilities with flags such as --dangerously-skip-permissions toggled on, the AI agents actively terminated active browser processes using the taskkill utility before launching custom scripts to extract locally stored password databases.

See Also: Accenture Confirms Data Breach as Infamous Forum Hacker Claims Massive Source Code Exfiltration

Beyond credential extraction loops, the AI tools heavily relied on “Living-off-the-Land Binaries” (LOLBins), legitimate administrative utilities often hijacked by black-hat hackers to blend into standard system noise. In a striking example of adversarial persistence, OpenAI’s Codex attempted to retrieve a programming installer from an external endpoint using certutil.exe. When the local EDR platform blocked that command as a potential threat vector, the autonomous agent did not stop; instead, it immediately pivoted tobitsadmin.exe, another heavily targeted system utility, to complete the download. This iterative, retry-until-success logic is a classic hallmark of human attackers attempting to bypass network controls. Concurrently, Cursor was observed utilizing PowerShell to drop hidden VBScript files into the Windows Startup folder, a move that immediately tripped persistent system tampering triggers.

While researchers emphasize that all observed activities were completely benign, the emergence of AI agent telemetry represents a daunting challenge for modern detection engineering teams. Cybersecurity teams must now re-architect traditional alert thresholds to separate the automated noise of legitimate software development tools from genuine security breaches, ensuring that rules are tightly bound to parent application processes rather than individual system binaries.

About the Author

Jennifer Sakmufuwo Baba

Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.