HIGH·credentials

Claude Code — Lakera study finds 33 of 428 npm packages with live `.claude/` credentials

Cybersecurity firm Lakera identified 428 public npm packages containing a `.claude/settings.local.json` file. 33 of those files (across 30 distinct packages) carried live, valid credentials — Anthropic API keys, vendor tokens, and project-specific secrets that AI coding tools had captured into the dot-directory and shipped along with the package.

Victim: Claude Code users publishing to npm + the developers whose credentials leaked

What happened

BDTechTalks reported on April 27, 2026 that Lakera's study illustrated a structural risk class: AI coding assistants like Claude Code create persistent dot-directories holding tool configuration, conversation history, project context, and sometimes inline references to sensitive values. When these directories are not added to .gitignore + .npmignore, they ship with publish artifacts.

Timeline

  1. Claude Code's `.claude/settings.local.json` design captures local config including occasional credentials.

  2. Lakera scans 428 npm packages found to contain `.claude/` files.

  3. 33 files across 30 packages confirmed to hold live credentials via API verification.

  4. BDTechTalks reports findings; GitGuardian publishes Claude API key remediation guide.

  5. Anthropic recommends users audit npm publish history for `.claude/` inclusion + rotate any captured credentials.

Root cause

AI coding tools (Claude Code, Cursor, Continue) create hidden state directories outside the developer's mental model of 'what gets committed'. Default ignore lists (.gitignore, .npmignore) do not include these dot-directories. When developers publish from a workspace where the AI tool has captured credentials into its config, the credentials ship along.

Impact

  • 33 live credentials across 30 npm packages from a 428-package sample
  • 8% of `.claude/`-containing packages had exploitable secrets
  • Estimated population multiple times larger across all npm publishers using AI coding tools
  • Direct route to LLMjacking — leaked Anthropic keys can run $50K+/day in stolen inference
  • Reinforces the attacker thesis behind the April 2026 Bitwarden CLI hunt
Would Securie have caught it?

Yes. Securie's secret_scanner specialist's live_validate step actively probes for `.claude/`, `.cursor/`, `.continue/` directory inclusion in publish artifacts. Combined with the secrets-lifecycle specialist, every commit that adds these dot-dirs to a package gets a critical-severity finding before npm publish — the exact gate this study's 30 publishers needed.

Lessons

  • Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore on every project
  • Run pre-publish credential scans (Securie + GitGuardian) on every npm publish
  • AI coding tools should never capture credentials into local config — env vars only
  • Audit your own npm publish history retroactively for these dot-directories

References