Coding agents set off EDR rules built for intruders, Sophos finds
Sophos telemetry from June 2026 shows Claude Code, Cursor, and OpenAI Codex triggering credential access and execution rules on developer machines. Credential access made up 56.2 percent of the blocked activity.