BotBeat
...
← Back

> ▌

AnthropicAnthropic
RESEARCHAnthropic2026-07-07

AI Coding Assistant Accidentally Shipping API Credentials: .claude Files Exposed Across Package Ecosystems

Key Takeaways

  • ▸428 out of 46,500 npm packages contained exposed .claude/settings.local.json files, with real credentials present in 30+ packages according to Lakera research team analysis
  • ▸Leaked credentials span multiple types: npm tokens, GitHub PATs, Telegram/Hugging Face tokens, and production bearer tokens—accumulated through developers approving commands during active AI coding sessions
  • ▸Problem is ecosystem-wide: .claude/ artifacts appear in Python, Java, and container registries, not just npm, indicating AI agents are leaving traces across multiple build pipelines and development ecosystems
Source:
Hacker Newshttps://reykur.io/blog/ai-coding-assistant-shipping-secrets/↗

Summary

Security researchers have uncovered a widespread problem where Claude Code's .claude/settings.local.json configuration files—meant to stay local and private—are being accidentally shipped in published npm packages, Python libraries, and deployed web applications with real API credentials inside. A Lakera research team scanning 46,500 npm packages found 428 contained the configuration file, with credentials exposed in 33 files across 30 packages. The exposed secrets include npm authentication tokens, GitHub personal access tokens, Telegram bot tokens, Hugging Face tokens, and production database credentials—artifacts left behind when developers clicked "allow always" during Claude Code sessions to approve command execution.

The issue extends beyond package registries into production environments: webcensus scanning across large domain lists found approximately 1 in 1,000 websites inadvertently exposing .claude/settings.local.json over HTTP, often containing live API keys and database credentials. The research reveals this is not a Claude Code-specific problem but a systemic ecosystem vulnerability affecting Python, Java, and container registries as well. The findings highlight a critical mismatch between how AI coding assistants are designed and how developers actually use them in practice, where permission convenience often outweighs security considerations.

  • Approximately 1 in 1,000 websites expose configuration files in production, enabling potential credential harvesting and lateral movement attacks for anyone discovering them

Editorial Opinion

This research exposes a fundamental tension between convenience and security in AI-assisted development. The 'allow always' pattern, while solving immediate friction, creates a false sense of control that masks the risk of shipping sensitive configuration files to the world. Both tool builders and developers must rethink permission models and build guardrails—AI agents should never assume that convenience can coexist with security compromises that touch production credentials.

AI AgentsMLOps & InfrastructureCybersecurityAI Safety & AlignmentPrivacy & Data

More from Anthropic

AnthropicAnthropic
PARTNERSHIP

ABC Australia Partners with Anthropic to Trial Claude AI in News Production

2026-07-07
AnthropicAnthropic
INDUSTRY REPORT

Anthropic Releases Field Guide to Claude Fable 5: Managing Unknowns in Agentic Coding

2026-07-07
AnthropicAnthropic
UPDATE

Anthropic's Claude Fable 5 Re-Release Sparks Backlash Over Safety Trade-Offs

2026-07-07

Comments

Suggested

Research CommunityResearch Community
RESEARCH

Zombie Agents: Security Researchers Uncover Persistent Control Vulnerability in Self-Evolving LLM Agents

2026-07-07
MicrosoftMicrosoft
UPDATE

Microsoft Confirms Windows 11 Storage Bug Caused by CapabilityAccessManager, Releases Fix

2026-07-07
NVIDIANVIDIA
INDUSTRY REPORT

Nvidia GPU Debt Backstop Reshapes $7 Trillion AI Financing Market

2026-07-07
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us