Lakera, a Check Point Subsidiary, Warns of Information Leakage Risk from Claude Code Configuration Files Included in Public Packages
Lakera, a Check Point Software Technologies subsidiary and a global leader in AI-native security platforms for agentic AI applications, has revealed a risk of credential leakage associated with the use of Anthropic's Claude Code. This leakage can occur when configuration files containing credentials, generated during Claude Code's use, are exposed externally upon the publication of npm packages. Lakera's scan identified sensitive information in approximately 1 out of 13 `.claude/settings.local.json` files examined.
📋 Article Processing Timeline
- 📰 Published: April 27, 2026 at 22:40
- 🔍 Collected: April 27, 2026 at 14:01
- 🤖 AI Analyzed: April 28, 2026 at 02:29 (12h 27m after Collected)
Cybersecurity pioneer and global leader, Check Point® Software Technologies Ltd. (NASDAQ: CHKP), through its subsidiary Lakera, a world-leading AI-native security platform for agentic AI applications, has revealed a risk of credential leakage associated with the use of Anthropic's Claude Code.
This information leakage can occur when configuration files generated during the use of Claude Code contain authentication information, which is then exposed externally when an npm package is published. To understand the actual situation, Lakera conducted a scan and found that sensitive information was included in approximately 1 out of 13 `.claude/settings.local.json` files confirmed.
## Background
Claude Code is a terminal-based AI coding assistant agent that saves authorized shell commands to local configuration files within the project directory. It has been revealed that if this project is an npm package, files containing credentials may be published to a public registry.
Lakera was inspired by Kirill Efimov's post, who first pointed out cases where `.claude/settings.local.json` files were included in published npm packages. Lakera conducted this investigation to grasp the actual scale of the problem and to raise broad awareness. To understand how commonly this problem occurs and what kind of content the files contain, Lakera developed a scanner using a TypeScript service that monitors the CouchDB change feed of the npm registry. For each new or updated package, it obtained the tarball, inspected its contents, and if `.claude/settings.local.json` was present, extracted the file and saved it for analysis.
## How Claude Code's Permission Model Works
Claude Code employs a permission system for shell commands. When Claude attempts to execute a command that has not been previously allowed, several options are presented. One of them is "allow always." If this is selected, the command string is written as is into `.claude/settings.local.json` as a permanent allowlist entry. Thereafter, Claude will not ask for confirmation for that command.
This file resides in the `.claude/` directory at the root of the project directory and contains content similar to the following:
Once commands are permanently allowed, they are all recorded, including any credentials contained within the command at that time. For example, a curl command containing an Authorization header, or an environment variable like `API_KEY=abc123` prefixed to a command, would be recorded. All of these are recorded in this file, and the file is saved within the project directory.
## Gaps in npm Publishing
npm packages are generated from the contents of the project directory. Files can be excluded by `.npmignore` or the `files` field in `package.json`, but neither provides default settings targeting `.claude/`. Even if this directory exists, no warning is displayed when `npm publish` is executed. The configuration file is a hidden dotfile and does not stand out at any stage of the normal publishing workflow.
`.claude/settings.local.json` follows a naming convention similar to `.env`. The `.local` suffix indicates that the file is personal and dependent on a specific environment. Unlike `.env`, awareness of this and tools to detect and warn about it before publication are not sufficiently widespread.
## Investigation Results
During Lakera's scan period, `.claude/settings.local.json` was found in 428 out of approximately 46,500 monitored packages, and sensitive information was confirmed in 33 files across 30 of those packages. This result indicates that sensitive information is included in published configuration files at a rate of approximately 1 in 13.
This information leakage can occur when configuration files generated during the use of Claude Code contain authentication information, which is then exposed externally when an npm package is published. To understand the actual situation, Lakera conducted a scan and found that sensitive information was included in approximately 1 out of 13 `.claude/settings.local.json` files confirmed.
## Background
Claude Code is a terminal-based AI coding assistant agent that saves authorized shell commands to local configuration files within the project directory. It has been revealed that if this project is an npm package, files containing credentials may be published to a public registry.
Lakera was inspired by Kirill Efimov's post, who first pointed out cases where `.claude/settings.local.json` files were included in published npm packages. Lakera conducted this investigation to grasp the actual scale of the problem and to raise broad awareness. To understand how commonly this problem occurs and what kind of content the files contain, Lakera developed a scanner using a TypeScript service that monitors the CouchDB change feed of the npm registry. For each new or updated package, it obtained the tarball, inspected its contents, and if `.claude/settings.local.json` was present, extracted the file and saved it for analysis.
## How Claude Code's Permission Model Works
Claude Code employs a permission system for shell commands. When Claude attempts to execute a command that has not been previously allowed, several options are presented. One of them is "allow always." If this is selected, the command string is written as is into `.claude/settings.local.json` as a permanent allowlist entry. Thereafter, Claude will not ask for confirmation for that command.
This file resides in the `.claude/` directory at the root of the project directory and contains content similar to the following:
Once commands are permanently allowed, they are all recorded, including any credentials contained within the command at that time. For example, a curl command containing an Authorization header, or an environment variable like `API_KEY=abc123` prefixed to a command, would be recorded. All of these are recorded in this file, and the file is saved within the project directory.
## Gaps in npm Publishing
npm packages are generated from the contents of the project directory. Files can be excluded by `.npmignore` or the `files` field in `package.json`, but neither provides default settings targeting `.claude/`. Even if this directory exists, no warning is displayed when `npm publish` is executed. The configuration file is a hidden dotfile and does not stand out at any stage of the normal publishing workflow.
`.claude/settings.local.json` follows a naming convention similar to `.env`. The `.local` suffix indicates that the file is personal and dependent on a specific environment. Unlike `.env`, awareness of this and tools to detect and warn about it before publication are not sufficiently widespread.
## Investigation Results
During Lakera's scan period, `.claude/settings.local.json` was found in 428 out of approximately 46,500 monitored packages, and sensitive information was confirmed in 33 files across 30 of those packages. This result indicates that sensitive information is included in published configuration files at a rate of approximately 1 in 13.