AI-Native Methodology

Your AI Coding Agent and a Ransomware Agent Run the Same Playbook. Aim Is the Only Difference.

Bill Cava/

Two things happened in cybersecurity within one week, and almost no one put them side by side. First, an AI agent ran a complete ransomware attack on its own. Second, a security team showed that the AI coding assistant on your machine already trips the same intrusion alarms as malware.

Covered separately, these are a scary headline and a curious footnote. Put together, they are the security story for anyone building with AI agents: the attacker's agent and your agent are the same capability. The only thing that differs is what each one is aimed at, and your defenses cannot see aim.

Can AI agents actually carry out cyberattacks?

Yes, and one just did the whole thing alone. In 2026 the security firm Sysdig documented an operation it named JADEPUFFER and assessed as the first ransomware attack run end to end by an autonomous AI agent: break-in, credential theft, spread, persistence, and encryption, with no human at the keyboard writing the steps.

The news is not a new hole. The agent got in through an old, already-patched flaw in Langflow, a tool for building AI agents (CVE-2025-3248, fixed in April 2025 and on the government's known-exploited list). What matters is what walked through it.

Once inside, the agent ran the full playbook itself. It hunted for credentials, moved laterally through storage, set up a recurring beacon for persistence, probed for ways to escalate, and encrypted what it found. Along the way it generated more than 600 distinct payloads. When one login failed, it diagnosed the problem and issued a corrected fix in 31 seconds.

One detail gives the game away. Sysdig noted the agent's code was saturated with plain-language commentary explaining why each action was taken. Human operators do not annotate throwaway one-line scripts that way, but a language model does it by default. The attacker left reasoning in the code because the attacker was a model.

Why do AI coding assistants trigger security alerts?

Because their normal behavior is, on the wire, an attack. Days before the JADEPUFFER writeup, Sophos X-Ops published telemetry from June 2026 showing that mainstream AI coding agents (Claude Code, Cursor, and OpenAI Codex) routinely set off endpoint security monitoring, the software that watches a machine for intrusions.

The flagged behaviors read like a penetration test. The agents decrypt browser-stored passwords out of the Windows vault, enumerate saved logins, and kill the browser process before reading its credential store. They pull files down with trusted built-in Windows tools like certutil and bitsadmin, the technique attackers use to avoid dropping obvious malware, and write to the startup folder to persist.

Every one is also your agent doing its job. Sophos mapped the bulk of this activity to two attacker categories, Credential Access and Execution, the same labels a real intrusion would earn.

A security tool's process tree showing claude.exe launched with the dangerously-skip-permissions flag, spawning PowerShell, then Python running a script named decrypt_wp_pass.py
A coding agent, as your security tools see it: claude.exe launching a credential-decryption script. Telemetry: Sophos X-Ops.

None of this is the agent misbehaving. It is the agent doing its job: reading a credential you asked it to use, fetching a dependency, keeping a session alive. The intent is benign. The behavior is not distinguishable from malice by the systems built to catch malice. Sophos said it plainly.

From the perspective of an endpoint behavioral engine, some of that activity is indistinguishable from typical activity seen on customer networks, or, in some cases, from actions that might be undertaken by an active adversary.

Sophos X-Ops, When AI agents look like attackers

What is AI agent security now?

It is governing aim and permissions, because intent is no longer inspectable. Put the two findings together and the shape is clear. JADEPUFFER is the autonomous capability aimed at destruction. Your coding agent is the same class of autonomous capability aimed at building. The alarms fire the same for both.

This is the manifesto line made literal: AI amplifies your direction, right or wrong. Aim matters more than ever. JADEPUFFER is that sentence with a hostile aim, at machine speed. The capability was never the safeguard. The aim was, and aim is exactly what a security tool cannot read off the wire.

The corollary for builders is uncomfortable. If your defenses cannot tell your agent from an attacker holding your credentials, then "I trust my agent" is not a security posture. It is the absence of one. Trust lives in the one place the tooling cannot see, and it does nothing when a prompt injection redirects the agent you trusted.

We wrote in June that frontier attack capability now runs on open weights and cannot be gated. JADEPUFFER is the receipt: the capability spread, an aim turned hostile, and the door it came through was a framework for building agents. You cannot put this capability back. You can only decide what it is allowed to touch.

Is agentic AI a bigger cybersecurity risk than earlier AI?

It is a different risk, and the difference cuts both ways. Earlier AI made attackers faster at writing phishing emails or code. Agentic AI executes the whole operation and adapts mid-run, which is a real escalation. But the same autonomy powers autonomous defense, faster patching, and agentic security tooling.

That symmetry is the actual point, not a comfort. The capability is neutral. It is not that agents are dangerous and should be avoided. It is that capability has stopped being the variable that decides safety. Aim and permissions are the variable now, which is good news, because those are things you can actually design.

How do you secure AI agents in software development?

Treat your own agent stack the way you would treat an attacker who already has your credentials. You are the person who decides what the coding agent can reach, so the trust boundary is a design decision you are already making, silently. Make it on purpose. Four moves:

Scope every agent to least privilege. Decide what each agent can read, run, and reach, and scope it as tightly as you would scope an intruder. An agent that only needs one repo does not get the whole file system or your production keys.

Break the lethal trifecta. An agent with access to private data, the ability to run tools, and a path to the outside world can be turned into an exfiltration engine by a single injected instruction. Keep those three from meeting, the way the GitLost exploit showed when a public issue made an agent leak a private repo.

Route agent actions into your security telemetry. Sophos proved your agents are already generating the alerts. Do not suppress the noise. Treat agent actions as first-class security events, so a compromised or redirected agent shows up the same way an intruder would.

Keep a named human owner for high-consequence actions. Deleting data, moving money, touching production: these get a person who owns the call. Not a checkbox. Someone accountable, because the agent's judgment is exactly what you cannot audit after the fact.

None of this is "stop using coding agents." We work alongside these agents every day, and designing their reach deliberately is the same trust-boundary discipline, with the stakes now made plain. The same autonomy that ships your product ships an attack the moment the aim flips.

The attacker in JADEPUFFER did not need a better model than the one on your machine. They needed the same one, aimed differently, with permissions no one would grant on purpose. Grant them on purpose now, or an injected prompt will grant them for you.

Frequently asked

What is AI agent security?
It is the practice of securing autonomous AI agents and the systems they act on.
It is the practice of securing autonomous AI agents and the systems they act on. What changed in 2026 is the threat model: agents now take real actions (read files, run commands, move data, call tools), so the same autonomy that makes a coding agent useful makes it behaviorally identical to an attacker. Securing an agent is now about governing its aim and its permissions, not trusting its intent.
Can AI agents be used to carry out cyberattacks?
Yes, and it has happened end to end. In 2026 Sysdig documented JADEPUFFER, which it assessed as the first ransomware operation run entirely by an autonomous agent: reconnaissance, credential theft, lateral movement, persistence, privilege-escalation probes, and encryption.
Yes, and it has happened end to end. In 2026 Sysdig documented JADEPUFFER, which it assessed as the first ransomware operation run entirely by an autonomous agent: reconnaissance, credential theft, lateral movement, persistence, privilege-escalation probes, and encryption. It generated 600-plus distinct payloads and, when a login failed, diagnosed and fixed the problem in 31 seconds. The skill floor for a full attack dropped to the cost of running an agent.
Why do AI coding assistants trigger security alerts?
Because their normal behavior looks like an attack. Sophos X-Ops found that Claude Code, Cursor, and OpenAI Codex routinely trip endpoint-detection alerts by decrypting browser-stored credentials, enumerating stored logins, using trusted system tools like certutil and bitsadmin to fetch files, and writing to the startup folder for persistence.
Because their normal behavior looks like an attack. Sophos X-Ops found that Claude Code, Cursor, and OpenAI Codex routinely trip endpoint-detection alerts by decrypting browser-stored credentials, enumerating stored logins, using trusted system tools like certutil and bitsadmin to fetch files, and writing to the startup folder for persistence. From a behavioral standpoint these are hard to separate from an attacker, even though the intent is benign.
How do you secure AI agents in software development?
Treat your own agent stack the way you would treat an attacker with your credentials.
Treat your own agent stack the way you would treat an attacker with your credentials. Apply least privilege to what each agent can read, run, and reach; keep agents out of the private-data-plus-external-communication combination; log and monitor agent actions as first-class security telemetry; and require a named human owner for high-consequence actions. The defense is architectural, because you cannot secure an agent by trusting its aim.
Is agentic AI a bigger cybersecurity risk than previous AI?
It is a different risk. Earlier AI helped attackers write phishing or code faster; agentic AI executes the operation autonomously, adapting in real time.
It is a different risk. Earlier AI helped attackers write phishing or code faster; agentic AI executes the operation autonomously, adapting in real time. The same shift helps defenders and builders too. The capability is neutral; the security question has moved from what the model can do to what its operator aims it at and what permissions it holds.
Subscribe

Considered takes, in your inbox.

We write when we learn something worth sharing. No schedule, no marketing digests. Built for engineers and product owners shipping with agents.

~1 email/wk · Unsubscribe anytime