Sophos X-Ops telemetry analysis shows Claude Code, Cursor, and OpenAI Codex triggering behavioral EDR detection rules built to catch human attackers. Credential access patterns account for 56.2% of blocked activity -- agents using the same Windows DPAPI technique as Redline stealer.