Welcome to the modern workplace mystery: helpful AI coding assistants are doing perfectly innocent developer tasks that look exactly like cyberattacks to endpoint security tools. A week-long look at telemetry from a security vendor showed those agents performing the kinds of actions defenders long treated as high-probability indicators of compromise.

Why security tools are freaking out

Developers let AI buddies like Claude Code, Cursor, and OpenAI Codex help with routine chores. Trouble is, those chores include things like decrypting saved browser passwords, poking around Windows’ credential store, pulling files with built-in utilities, and dropping items into startup folders — the exact behaviors EDRs were trained to hate. From the detector’s perspective, this is classic attacker playbook: look for credential grabs, LOLBin downloads, persistence writes, and you’ve got a hit.

Examples seen in the telemetry included an agent using Windows’ Data Protection API to unlock browser-stored credentials (a productivity task in context, credential theft according to the rule), running cmdkey /list to enumerate Credential Manager, and switching download methods when a tool like certutil got blocked — then trying bitsadmin instead. One agent even dropped a script into the startup folder via PowerShell, tripping persistence detections.

  • Decrypting saved browser passwords with DPAPI
  • Enumerating Windows Credential Manager
  • Using built-in utilities (certutil, bitsadmin) to fetch files
  • Writing scripts to the startup folder for persistence

Two things make this especially annoying: first, these agents pivot when blocked — they try another method just like a live attacker would — and second, some agents can be run in permissive modes that bypass safeguards, which is when harmless automation looks downright malicious. This shift means the old rule of thumb — that these actions equal badness — is starting to break down. It’s still dangerous behavior, but now it’s noisy.

So what should defenders do?

Good news: you don’t have to throw out behavioral detections. You just have to be smarter about context. If your developers are running coding agents under their own accounts, expect more alerts. The pragmatic moves:

  • Scope noisy execution rules by parent process (e.g., the agent binary), workspace or temp path, or the reputation of the download source so known, legitimate agent activity doesn’t spray the timeline with false positives.
  • Keep a hard line on credential access. Decrypting browser stores or enumerating credential managers should remain gated and monitored — an agent getting a free pass is a bad idea.
  • Treat downloads from LOLBins or living-off-the-land utilities with suspicion and use reputation checks or allowlists for trusted targets.
  • Disable dangerous or permissive modes on agent software through managed settings if they exist; those flags are shortcuts to trouble.

Remember: attackers are already using AI at development and runtime — to build better malware or to trick coding agents into running malicious inputs — so the same agent technology can sit on both sides of the fence. That makes clean binary signals rarer and context far more valuable. Tighten controls around sensitive resources (credential stores are a good starting point), tune rules to known agent contexts, and keep an eye on how agents behave when a step gets blocked. In short: don’t blame the AI for being curious — just manage what it’s allowed to touch.