Insider Used a AI Agent to Exfiltrate, Artemis AI Caught It Live

Avatar photo
Hadar Waldman July 13, 2026

Insider theft used to require a skilled insider. This one just required a sentence: a departing engineer asked his AI agent to download the company’s code, and minutes later the whole private codebase was on it’s way out.

TL;DR. Insider theft used to require skill: an insider who could script, stage, and move data quietly, over days. That barrier is gone. An engineer at an enterprise, who believed he was about to be let go after layoffs in his org, prompted his Claude Code, a sanctioned tool in this enterprise, with the simple instruction: back up the company’s private repositories into my SSD drive. Claude authorized a new source-control OAuth token, and started a scripted process to download 7,315 private repositories, effectively the entire codebase, in about two hours. One prompt turned an average employee into a highly capable exfiltration operator.

Nothing looked wrong to the identity stack: corporate SSO, passed MFA, the engineer’s own managed laptop, the company’s own network. Artemis caught it anyway, by doing something new. Artemis detected the anomalous activity in GitHub logs, tracked it down through end point telemetry, read the agent’s own execution logs off the endpoint, tied the Claude Code session to the source-control downloads and the identity, and reconstructed the whole operation as one actor in real time. Then it followed the data to its destination and caught a personal SSD plugged in mid-copy, the codebase being written to it. That real time detection enabled the security team stop the person before he left the building, eliminating adverse impact for the company.

What normal looked like

The account belongs to a working developer, and for the month before the incident it behaved like one: pushing commits, opening pull requests, merging them. In thirty days it had never once bulk-downloaded a repository as an archive. The most useful thing Artemis knew going into the day was the shape of this account’s ordinary work, and that a mass archive pull had no place in it.

What the logs couldn’t show is what changed for the person behind the account. His org had just been through layoffs, and he believed his own notice was coming. That’s the oldest insider trigger there is: an employee who senses the exit is near and decides to take the work with him. What’s new isn’t the motive, It’s that he no longer needed the skills to act on it; his coding agent had them. None of that intent is visible in an audit trail. What is visible is the behavior it produced.

The identity side was just as unremarkable, which is the part that reassures every tool built to watch it. Corporate SSO, passed MFA, the same managed-device fingerprint Artemis had already seen 81 times over three weeks. A brief two-location authentication looks alarming in isolation, but it resolves to a VPN split-tunnel plus a mobile push, a pattern the account had shown before. No stolen session, no new device. The real employee, on the real laptop. That is the baseline the rest of the story breaks from.

The click, then the machine

The whole operation ran through Claude Code. The engineer opened his AI coding agent on his laptop and pointed it at the job: pull down the company’s private repositories. He didn’t write the downloader. He asked Claude to, and the agent handled the rest, from extracting the credential to scripting the loop to managing GitHub’s rate limits. The endpoint telemetry recorded the agent’s fingerprint on every process in the tree:

{
  "event_simpleName": "ProcessRollup2",
  "FileName": "curl",
  "ParentBaseFileName": "zsh",
  "CommandLine": "/bin/zsh -c source /Users/REDACTED/.claude/shell-snapshots/snapshot-zsh-...",
  "AI_AGENT": "claude-code_2-1-150_agent",
  "CLAUDE_CODE_ENTRYPOINT": "cli"
}

It began with a step that looks entirely ordinary. At 13:00:49 UTC the engineer authorized a new OAuth token for the coding agent, with broad scope: read access to every private repository the account could see, plus workflow files. A human pressed “Authorize.” To this point it’s a developer setting up a tool they’re allowed to use.

Five minutes later the agent got to work. It read the token out of local credential storage (gh auth token) and handed it to a command-line client. Not a browser: a curl loop, fanned out four ways with xargs, hitting the archive endpoint for one repository after another. Asked to grab everything, Claude wrote exactly that. The endpoint telemetry caught the shape of it:

xargs -n 2 -P 4 bash -c download_one "$1" "$2" _

curl -sSL -H "Authorization: Bearer <redacted>" \
  <https://api.github.com/repos/REDACTED-ORG/REDACTED-repo/zipball/master> \
  -o /Users/REDACTED/repos/REDACTED-repo.zip

The download_one function was never written to disk; it lived in memory as an exported shell function, which is why there was no script to find. It started at 13:05:40 UTC and did not stop for two hours. By 15:09 UTC it had pulled 7,315 distinct private repositories. The pace tells you no one was clicking: at its peak, 143 in a single minute, a new archive roughly every 420 milliseconds. This was the first archive-download activity the account had ever produced. From zero, straight to effectively the entire private codebase, 385 times more than the busiest other human in the org.

One more detail makes this worth writing about. The token wasn’t being driven by a person at a terminal. Each archive pull landed in the source-control audit log as a repo.download_zip event with a command-line user agent, not a browser:

{
  "action": "repo.download_zip",
  "actor": "REDACTED-USER",
  "user_agent": "curl/8.20.0",
  "access_type": "OAuth access token",
  "repo": "REDACTED-ORG/REDACTED-repo",
  "event_time": "2026-05-26 15:08:53"
}

curl/8.19.0 on an OAuth token is a script, not a person, and the script was Claude’s. The developer had made a single request; the agent turned it into two hours of automated downloading at a speed no human hand produces. One person’s decision, executed by an AI at machine scale.

Time (UTC)What happenedATT&CK
08:45Engineer signs in via corporate SSO, MFA passes, behavior flags cleanT1078
13:00:49Engineer interactively authorizes a broad-scope OAuth token for their AI coding toolT1550.001 · T1528
13:05:00On the laptop, the token is read from local credential storage; an agent launches via Node.jsT1555
13:05:40A scripted curl client begins pulling private-repo archives with that tokenT1213.003
13:05–15:097,315 repositories downloaded, first-ever bulk pull for the account, 385× the org’s next-highest human, peaking at 143/min. The detection point.T1213.003 · T1567
14:52+The same token continues, now under an AI-agent user-agent making API callsT1550.001
15:42A personal portable SSD is connected to the laptop; a full copy of the machine, archives and company documents included, is written to it in real time, surfaced live during the investigationT1052.001

How Artemis caught it

The detection fired on the download’s shape, not on a signature: a principal running its first-ever bulk archive-download in a 30-day window, at ~143 requests/minute, against a repository count no other account in the org came close to. That was enough to open a case.

The investigation then joined three log sources into a single actor. The source-control audit events carried the repository actor; the identity events carried the SSO user; the endpoint telemetry carried the device, the process tree, and the coding agent’s own execution footprint- the Claude Code session that spawned the downloads. Artemis linked the source-control session to the identity session on the shared email, and both to the endpoint record for the same laptop, so the OAuth grant, the curl requests, and the agent run that drove them read as one timeline instead of three disconnected feeds. Reading an AI agent’s execution logs and fusing them with the source-control and identity trail is the part no rule-based, single-source tool does, and it is what named exactly what happened here. Against that it laid the baselines: zero prior bulk downloads for the account, the org-wide per-user comparison, and the token’s scope and reuse. The identity signals were clean (corporate SSO, passed MFA, a known device), which the investigation noted and then set aside, since none of it speaks to whether an authorized action is normal. The verdict was a high-severity data-access event by an authorized insider, with the destination of the archives still open.

While the curl loop was still running, Artemis unfolded the entire chain. It pulled the endpoint process events and identified the mechanism, a Claude Code session scripting the download on the developer’s behalf, not a person typing commands. That answered how, and raised the question that decides intent: did anything leave the machine? On its own a bulk download is ambiguous, as it could easily be an over-broad agent task as theft. Artemis swept the endpoint telemetry for every common egress tool: aws s3, rclone, scp, rsync, any upload command, and every one returned zero events. It cross-checked the firewall: all the download traffic had stayed on the corporate VPN, nothing posted to cloud storage or file-sharing. The archives were still on disk. So Artemis turned to the one exfiltration path network telemetry can’t see, and queried the endpoint for removable-media mounts and writes. The answer came back live, a stream of FileWritten events landing on a mounted external volume as they happened:

{
  "event_simpleName": "FileWritten",
  "UserName": "REDACTED-USER",
  "TargetFileName": "/Volumes/REDACTED-DRIVE/REDACTED-backup-2026/Downloads/REDACTED-repo.zip"
}

A personal portable SSD, plugged in at that moment, receiving a full copy of the machine, the repository archives and internal company documents among the paths. The same drive held an earlier backup from weeks before.

This is the part that matters: the copy was still in flight while Artemis watched it. It had walked the full chain, identity to source control to endpoint to firewall to the physical drive, in one continuous investigation, and surfaced the exfiltration in real time rather than reconstructing it days later from logs. The drive was still connected. That is what let the team move on the device while the data was still on-premises, before it could physically walk out the door, and it is what turned a data-access anomaly into a confirmed insider theft the moment it was happening, not after. That was what went to HR and legal.

Both sides of this ran on the same kind of technology. The download was executed by an AI coding agent handed repo-wide scope; the detection read that same agent’s execution trail off the endpoint, fused it with the source-control and identity records, and ran the live pivot to the drive, an AI investigator reconstructing an AI agent’s work from the customer’s own logs. The download’s velocity is the reason a human-paced review would not have kept up, and the reason the answer to “is this normal for this account” had to come from a learned baseline rather than a static rule.

What this means

Every safeguard in this story worked exactly as designed, and none of it mattered. SSO authenticated the right person. MFA passed. The device was managed and known. The OAuth grant was a real employee clicking “Authorize” on a sanctioned tool. Each control answered the question it was built to answer, “is this allowed?”, and each answered yes, because it was. What none of them could answer was whether an allowed action was normal for this account, and that was the only question that mattered.

Two forces met at that blind spot. A departing insider supplied the intent, the oldest motive there is. The barrier to being a capable insider threat used to be skill, but coding agents removed it. Every employee now has, on their laptop, a tool that can turn a moment of intent into a full-scale exfiltration. The time between decision and damage collapsed to almost nothing, and it happens entirely inside the set of actions your policies permit.

What closed the gap was not another rule but context: a learned baseline of what this account normally did, correlation across identity, source control, and endpoint that read six disconnected events as one actor, and an investigation fast enough to pivot into live endpoint telemetry and watch the source code being copied to a personal drive in real time. The insider used AI to move at machine speed; catching him required an investigator that worked at the same speed, from the same logs the company already had. As broad-scope tokens get handed to more capable agents, that is the shape of the problem, and the shape of the answer.

For defenders

Here are actions you can take today, whatever you run:

  1. Wire your coding agents’ own activity into your detection stack, both planes. Coding agents are now the most capable tool on every developer’s laptop, and most security teams have zero telemetry on them. Feed both the control plane (which agent ran, under whose identity, what tools and scopes it invoked, the OAuth tokens it minted or read) and the data plane (what it actually touched: repos cloned, files written, endpoints called) into the same pipeline as your identity and endpoint logs.
  2. Alert on the token’s second life, not its birth. An OAuth grant is noise. A broad-scope source-control token authorized interactively (a browser) and then, within minutes, used non-interactively (a curl, a script, an agent user-agent) is the signal. That intersection is what would have caught this on day one.
  3. Baseline the bulk primitives per principal. Track archive downloads and clone volume per account against its own 30–90 day history and against the org. A first-ever bulk-download event, or a volume that’s a large multiple of every other human, is worth a hard look even when identity is spotless. Here the account went from zero to 385× the org’s next human in one window.
  4. Treat agent-driven access as its own class. When a human token starts carrying an AI-agent user-agent, you’re no longer watching a person’s pace or judgment. Scope those tokens tightly, prefer purpose-built service identities for bulk operations, and watch what the agent actually reaches. The scope of the task is now the scope of the exposure.

Detection as a prompt

There is no single “someone downloaded the whole codebase” event in native source-control audit logs. GitHub records git.clone, git.fetch, and git.push, but the ZIP-archive endpoint this actor used emits no distinct download action, and git events are REST-API-only with short retention and a thin field set. GitLab and Bitbucket differ in action names but share the shape. So the source-control side is a volume-and-novelty hunt, and the confirmation lives on the endpoint.

Artemis expresses threat hunts as instructions to an investigation agent rather than as static rules, which is what let this case pivot from source-control logs into live endpoint telemetry mid-investigation. If you run an agentic investigation tool, the same idea ports directly. A prompt that would have surfaced this incident:

Role: insider-exfiltration triage over the org's own logs
(source-control audit, identity/SSO, EDR/endpoint, firewall).

Trigger: an identity performs its first-ever bulk repository access:
hundreds of distinct repos cloned/fetched in a short window, or a volume
that is a large multiple of that identity's 90-day norm and of every
other user in the org.

Investigate, in order, and report what you find at each step:
  1. Baseline. How much repo access has this identity performed per day
     over the last 30-90 days? Is today a first-of-its-kind spike? By what
     multiple over its own history and over the org's per-user max?
  2. Access grant. Was a broad-scope token (repo/workflow) or OAuth app
     authorized shortly before the access? By whom, and how: interactive
     browser session or programmatic? Correlate the grant to the access
     by actor and time even if the logs don't share a token id.
  3. One actor across sources. Join the source-control actor to the SSO
     identity and to the endpoint/device by email and host. Is the
     identity itself compromised (impossible travel, new device, failed
     MFA), or is this an authorized user acting anomalously? State which.
  4. Destination, to decide intent. Where did the data go? Query the
     endpoint for the process that pulled it and the path it wrote to,
     the firewall for outbound uploads to cloud/file-sharing, and the
     endpoint for removable-media mounts and file writes to external
     volumes. A copy of source code or archives to a personal drive, or
     an upload off-network, is confirmed exfiltration: escalate.
  5. Live vs. historical. Is any of this happening right now (drive still
     mounted, download still running)? If so, recommend immediate device
     containment before evidence is disconnected.

Do not treat clean identity signals (valid SSO, passed MFA, known device,
a token the user authorized themselves) as exoneration. The question is
not whether the access was permitted; it is whether it is normal for this
identity, and where the data ended up.

Details are drawn from real findings in a customer environment. Details are anonymized and indicators sanitized.

Table of contents
    Get a personalized demo

    Ready to See Everything and Stop Anything?

    Book a personalized demo and see what Artemis is building differently and how it can anticipate anything in your environment.

    Book A Demo
    2
    B+
    events processed every hour
    15,000
    + TB
    data processed daily
    2,000
    +
    insights generated daily