Cybersecurity pioneer and global leader, Check Point® Software Technologies Ltd. (NASDAQ: CHKP), through its subsidiary Lakera, a world-leading AI-native security platform for agentic AI applications, has revealed a risk of credential leakage associated with the use of Anthropic's Claude Code.
This information leakage can occur when configuration files generated during the use of Claude Code contain authentication information, which is then exposed externally when an npm package is published. To understand the actual situation, Lakera conducted a scan and found that sensitive information was included in approximately 1 out of 13 `.claude/settings.local.json` files confirmed.
Background Claude Code is a terminal-based AI coding assistant agent that saves authorized shell commands to local configuration files within the project directory. It has been revealed that if this project is an npm package, files containing credentials may be published to a public registry.
Lakera was inspired by Kirill Efimov's post, who first pointed out cases where `.claude/settings.local.json` files were included in published npm packages. Lakera conducted this investigation to grasp the actual scale of the problem and to raise broad awareness. To understand how commonly this problem occurs and what kind of content the files contain, Lakera developed a scanner using a TypeScript service that monitors the CouchDB change feed of the npm registry. For each new or updated package, it obtained the tarball, inspected its contents, and if `.claude/settings.local.json` was present, extracted the file and saved it for analysis.
How Claude Code's Permission Model Works Claude Code employs a permission system for shell commands. When Claude attempts to execute a command that has not been previously allowed, several options are presented. One of them is "allow always." If this is selected, the command string is written as is into `.claude/settings.local.json` as a permanent allowlist entry. Thereafter, Claude will not ask for confirmation for that command.
This file resides in the `.claude/` directory at the root of the project directory and contains content similar to the following:
Once commands are permanently allowed, they are all recorded, including any credentials contained within the command at that time. For example, a curl command containing an Authorization header, or an environment variable like `API_KEY=abc123` prefixed to a command, would be recorded. All of these are recorded in this file, and the file is saved within the project directory.
Gaps in npm Publishing npm packages are generated from the contents of the project directory. Files can be excluded by `.npmignore` or the `files` field in `package.json`, but neither provides default settings targeting `.claude/`. Even if this directory exists, no warning is displayed when `npm publish` is executed. The configuration file is a hidden dotfile and does not stand out at any stage of the normal publishing workflow.
`.claude/settings.local.json` follows a naming convention similar to `.env`. The `.local` suffix indicates that the file is personal and dependent on a specific environment. Unlike `.env`, awareness of this and tools to detect and warn about it before publication are not sufficiently widespread.
Investigation Results During Lakera's scan period, `.claude/settings.local.json` was found in 428 out of approximately 46,500 monitored packages, and sensitive information was confirmed in 33 files across 30 of those packages. This result indicates that sensitive information is included in published configuration files at a rate of approximately 1 in 13.
FACT BOX
- Source: PR TIMES
- Category: Survey
- Organizations: Lakera
- Products / services: Claude Code / .claude/settings.local.json