AI coding assistant is quietly shipping your secrets

k1r1111 pts0 comments

Your AI coding assistant is quietly shipping your secrets | Reykur Blog<br>← All postsSecurity ResearchAI ToolingSupply Chain<br>Your AI coding assistant is quietly shipping your secrets<br>AI coding agents are leaving a new kind of paper trail in your codebase — configuration files, logs, and helper artifacts that were never meant to leave your laptop.<br>Kirill EfimovMobb

May 7, 20267 min read

AI coding agents are starting to leave a new kind of paper trail in your codebase: configuration files, logs, and helper artifacts that were never meant to leave your laptop. In this post I walk through how I stumbled on one such trace, how others expanded the research, and why this feels like an ecosystem issue rather than a single bug.

#One .claude folder in an npm package

This started the boring way: with a small bug-bounty-style secret scanner I run over published artifacts.

While looking at npm packages, I noticed something that should not have been there at all: a .claude/settings.local.json file shipped inside a published tarball, complete with real secrets. The contents made it obvious this was not just a harmless cache: inline curl commands with Authorization: Bearer … headers, API_KEY=… environment variables prepended to commands, and other traces of day-to-day development with an AI coding assistant.

Claude Code’s own documentation describes .claude/settings.local.json as a project-level file for personal overrides, stored under the .claude/ folder at the root of your project and intended to stay local rather than be shared with the rest of the team:<br>https://code.claude.com/docs/en/settings

It is exactly the kind of file you never want in an npm tarball.

I posted a short note on LinkedIn calling this out, showing that .claude/settings.local.json was already shipping to npm with real tokens inside. https://www.linkedin.com/feed/update/urn:li:activity:7451998588588646400/

#Lakera’s research on package ecosystems

The Lakera research team picked up that LinkedIn post and decided to see how widespread the problem really was. He built a registry-side scanner that tailed the npm CouchDB changes feed, downloaded new and updated package tarballs, and extracted .claude/settings.local.json when present for analysis.

Across roughly 46,500 packages observed in his scan window, 428 contained a .claude/settings.local.json file, and 33 files across 30 packages held actual credentials. That is about one in thirteen settings files turning out to be sensitive.

The exposed data in those files was exactly what you would expect when developers hit "allow always" on commands during active Claude sessions: npm authentication tokens, GitHub personal access tokens, Telegram bot tokens, Hugging Face tokens, production bearer tokens, and plaintext test credentials used in provisioning scripts.

In the same write-up, Lakera also shows that this is not just an npm problem. He demonstrates similar issues across other ecosystems, with AI-agent traces ending up in Python, Java, and container artifacts as well.

Lakera’s blog post, "Your AI Coding Assistant Just Shipped Your API Keys", is the canonical reference here, and the numbers above come from his research:<br>https://www.lakera.ai/blog/your-ai-coding-assistant-just-shipped-your-api-keys

#Measuring the web with webcensus

npm is just one way these traces escape. As Lakera shows, the same pattern appears when AI agents are used across multiple language ecosystems and build pipelines.

To understand how often .claude/settings.local.json makes it all the way into deployed web assets, I built a simple scanner, webcensus, and ran it across several large domain lists:<br>https://github.com/Kirill89/webcensus

Across different lists, the result was consistently around 1 out of every 1000 websites exposing .claude/settings.local.json over HTTP.

In many cases, the file contained the same kinds of artifacts as in the package studies: live API tokens and database credentials baked into previously approved commands, plus hard-coded backup paths, internal hostnames, and other "security by obscurity" details that can make lateral movement easier once you are in.

So we now had two separate but related data points: secrets hiding in .claude/settings.local.json inside package registries, and the same file occasionally making it into production web roots.

And .claude/settings.local.json is just one very visible example. The same class of problem exists for other AI agents and their own folders and files - from local state and logs to agent-specific config and instruction documents.

#GitHub "dorks" for AI-agent traces

If a file can end up in tarballs and web roots, it can also end up in GitHub.

At that point it started to feel a lot like the Google-dork days again: trivial search queries returning obviously sensitive data. If you were doing security in the 2000s, this will feel familiar - simple queries, surprisingly naive issues everywhere.

A few examples that consistently surface real tokens...

claude settings local json coding tokens

Related Articles