AI coding assistant secrets leakage: are your controls keeping up?

TL;DR: AI desktop assistants and coding tools often store OAuth tokens, API keys, and MCP credentials in plaintext JSON at predictable locations, creating easy theft paths through malware, WSL exposure, extension abuse, and session hijacking, according to Netwrix. The core issue is not just exposure, but trust assumptions that let one readable file or session inherit far more access than governance teams expect.

NHIMG editorial — based on content published by Netwrix: Your AI coding assistant is leaking secrets

By the numbers:

• Trend Micro found that 48% of 19,402 MCP server implementations recommend plaintext credential storage.
• Only 44% of organisations are currently using a dedicated secrets management system.

Questions worth separating out

Q: How should security teams govern AI coding tools that store credentials locally?

A: Treat AI coding tools as part of the secrets estate, not just developer utilities.

Q: Why do AI assistants create more credential risk than traditional developer tools?

A: They often aggregate access to many external services in one workflow, then persist those credentials in predictable local files or sync them into shared environments.

Q: What breaks when AI tool credentials are stored as plaintext JSON?

A: Plaintext storage removes the protection that should exist between a local file read and reusable identity.

Practitioner guidance

• Map every AI tool secret location Identify all credential files, keychain entries, sync paths, and environment-variable fallbacks used by AI coding assistants on Windows, macOS, Linux, and WSL.
• Move MCP credentials out of inline JSON Replace inline tokens with secure references or runtime retrieval where the tool supports it, and block repository commits of .mcp.json and similar files.
• Require re-authentication for remote sessions Treat remote control links as privileged access paths and force fresh authentication before accepting instructions, especially where shell execution or file writes are possible.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

• Platform-by-platform credential storage paths for Claude Code, Copilot, Cursor, Cline, Continue.dev, and OpenClaw.
• Examples of how remote control, VS Code SecretStorage, and WSL mounts change the exposure profile in practice.
• Attack scenario breakdowns showing malware theft, session hijacking, malicious extensions, and MCP-based lateral movement.
• Tool-specific mitigation notes such as OS keychain defaults, permission settings, and secret scanning gaps.

👉 Read Netwrix's analysis of AI coding assistant secret exposure →

AI coding assistant secrets leakage: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →