Leaked Anthropic key in `.claude/settings.local.json` — committed to npm or git

Updated

Claude Code captures local config (sometimes including credentials) into `.claude/settings.local.json`. Lakera's April 2026 study found 33 of 428 npm packages containing this file had live, valid Anthropic credentials. The April 2026 Bitwarden CLI hijack was specifically built to hunt these dot-directories.

The next 60 seconds matter

Automated scrapers index every npm publish + every public GitHub commit looking for `.claude/`-pattern files. Once a key is found, the attacker validates it against api.anthropic.com and adds it to a LLMjacking pool. Documented Claude Opus victim case ran 4.5 days at $50K — premium-model abuse can exceed $100K/day.

  • LLMjacking — attacker uses key for Claude inference; documented Opus victim ran 4.5 days at ~$50K
  • Drain prompt-cache budget (cached tokens are unbounded by per-call rate-limit)
  • Exfiltrate any project metadata stored in conversation-history files alongside settings.local.json
  • Pivot to other credentials co-located in the same `.claude/` directory

Rotation playbook

  1. Revoke at console.anthropic.com → API keys → Revoke (immediate, takes effect within seconds)
  2. Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore on every project
  3. Audit git history: `git log --all -p -- '.claude/'` — force-push alone does not help; reflog still carries the key
  4. Audit npm publish history: `npm view <pkg> versions` then download each tarball + grep for sk-ant-
  5. Rotate any other key co-located in the same `.claude/` directory
  6. Contact Anthropic billing support within 24h if the key was used (fraud-reversal window)

Prevent the next one

  • Never check in `.claude/settings.local.json` — even renamed
  • Run `gitleaks` pre-commit hook with custom Anthropic-pattern rule (sk-ant-)
  • Securie's secret_scanner specialist live-validates Anthropic keys at PR time
  • Securie's secrets-lifecycle specialist flags AI-coding-tool credentials before commit / publish
  • Anthropic's published guidance: store keys in OS keychain or environment, never plaintext config
Pattern we scan for
sk-ant-... in JSON files inside `.claude/` directories (settings.local.json, conversation-history JSON files)