Is Claude Code safe?
Anthropic's Claude Code captures local config into `.claude/settings.local.json`. Lakera Apr 2026 study: 33 of 428 npm packages with this file had live credentials. Plus the Mar 2026 sourcemap-leak of full Claude Code source. Honest verdict: safe with discipline, leaky in default config.
Claude Code's design captures conversation history + tool config + sometimes inline credentials into `.claude/`. When developers publish from a workspace where credentials were captured, the credentials ship along. April 2026 wave shows the attacker-side targeting is real.
How it fails in production
Live credentials in `.claude/settings.local.json` shipped to npm
Lakera Apr 2026: 33 of 428 npm packages with this file had live credentials. 8% rate.
Mar 2026 sourcemap leak of Claude Code's own source
Anthropic's npm publish pipeline shipped a sourcemap with full Claude Code source — 512K lines mirrored to GitHub within hours.
Bitwarden CLI Apr 2026 hijack hunted `.claude/`
Supply-chain malware specifically searched the dot-directory pattern Claude Code creates.
AI-generated code carries 92% auth-bug rate
Claude Code's output gets the same bug-class profile as any AI tool. Securie's specialist fleet runs on it regardless.
How to ship safely on Claude Code
- Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore
- Audit npm publish history retroactively for `.claude/` inclusion
- Rotate any Anthropic key that may have shipped in a public package
- Securie's secret_scanner specialist live-validates `.claude/` artifacts pre-publish
secret_scanner + secrets-lifecycle catch `.claude/` inclusion at PR time; AuthAuthz catches generated-code bug class; mcp-guard handles MCP-server interactions Claude Code makes.
Verdict
Claude Code is safe with .gitignore + .npmignore + pre-publish scanning. Default config is not — the April 2026 Lakera study showed 8% of Claude-Code-using packages leak credentials. Treat `.claude/` as `.env`.