You're shipping Claude Code projects to production. Here's what `.claude/` is leaking.

Updated

Lakera Apr 2026 found 33 of 428 npm packages had live `.claude/` credentials. Bitwarden CLI Apr 2026 hijack hunted these paths. Securie catches it before publish.

Start free — no cardHow it works for you

This is for you if…

  • Using Claude Code as your primary AI coding tool
  • Publishing packages to npm (or planning to)
  • Storing API keys somewhere — possibly in `.claude/`
  • Reading the Apr 2026 Lakera disclosure + wondering if you're affected

The moments you feel this

First Lakera-disclosure-read

You read about 33 of 428 npm packages with live `.claude/` credentials. You realize you have NO IDEA if your published package included one.

First Anthropic billing alert

$4,200 in 12 hours. Your usage dashboard shows continuous Claude Opus calls. None are yours.

First customer asking 'is your code safe?'

You don't have a real answer. You don't even know what your gitignore looks like.

What Securie does for you

secret_scanner live_validates `.claude/` artifacts

Every PR + every npm publish gets actively probed for `.claude/`, `.cursor/`, `.continue/` directory inclusion. Critical-severity findings before publish.

secrets-lifecycle rotation playbook

If a key leaked, Securie's rotation flow is one click. Includes vendor-side revoke + per-environment update + git-history clean.

What you don't need to know

  • What `gitleaks` is
  • How to write a regex for sk-ant-
  • How npm publish works under the hood
  • What an npm tarball looks like

What you actually do

  1. Install Securie GitHub App
  2. Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore (Securie auto-PRs this)
  3. Read Securie's PR comments before merge
  4. Tap 'Commit suggestion' on auto-fix PRs

Hundreds of Claude Code users ship packages safely with Securie's `.claude/` audit at every PR.

But wait…

I already use Claude Code's enterprise tier — do I need Securie?

Anthropic enterprise tier governs THEIR data handling (no training on your code). Doesn't address `.claude/` capture or generated-code bug class. Securie covers both.

I'll just remember to add things to .gitignore

Lakera Apr 2026 found 30 distinct publishers got this wrong. Memory is unreliable; Securie's structural check is the fix.

I don't publish npm packages

Then check git history instead — `.claude/` committed to public GitHub repos is the same leak surface.