TL;DR: AI desktop assistants and coding tools often store OAuth tokens, API keys, and MCP credentials in plaintext JSON at predictable locations, creating easy theft paths through malware, WSL exposure, extension abuse, and session hijacking, according to Netwrix. The core issue is not just exposure, but trust assumptions that let one readable file or session inherit far more access than governance teams expect.
NHIMG editorial — based on content published by Netwrix: Your AI coding assistant is leaking secrets
By the numbers:
- Trend Micro found that 48% of 19,402 MCP server implementations recommend plaintext credential storage.
- Only 44% of organisations are currently using a dedicated secrets management system.
Questions worth separating out
Q: How should security teams govern AI coding tools that store credentials locally?
A: Treat AI coding tools as part of the secrets estate, not just developer utilities.
Q: Why do AI assistants create more credential risk than traditional developer tools?
A: They often aggregate access to many external services in one workflow, then persist those credentials in predictable local files or sync them into shared environments.
Q: What breaks when AI tool credentials are stored as plaintext JSON?
A: Plaintext storage removes the protection that should exist between a local file read and reusable identity.
Practitioner guidance
- Map every AI tool secret location Identify all credential files, keychain entries, sync paths, and environment-variable fallbacks used by AI coding assistants on Windows, macOS, Linux, and WSL.
- Move MCP credentials out of inline JSON Replace inline tokens with secure references or runtime retrieval where the tool supports it, and block repository commits of .mcp.json and similar files.
- Require re-authentication for remote sessions Treat remote control links as privileged access paths and force fresh authentication before accepting instructions, especially where shell execution or file writes are possible.
What's in the full article
Netwrix's full blog covers the operational detail this post intentionally leaves for the source:
- Platform-by-platform credential storage paths for Claude Code, Copilot, Cursor, Cline, Continue.dev, and OpenClaw.
- Examples of how remote control, VS Code SecretStorage, and WSL mounts change the exposure profile in practice.
- Attack scenario breakdowns showing malware theft, session hijacking, malicious extensions, and MCP-based lateral movement.
- Tool-specific mitigation notes such as OS keychain defaults, permission settings, and secret scanning gaps.
👉 Read Netwrix's analysis of AI coding assistant secret exposure →
AI coding assistant secrets leakage: are your controls keeping up?
Explore further
Predictable credential paths have created a new secret sprawl problem inside AI tooling. The issue is not that AI assistants need access, but that too many of them persist that access in files designed for convenience rather than governance. Once credentials sit in predictable JSON paths, the identity model collapses from controlled delegation to easily harvested shared secrets. Practitioners should treat AI desktop storage as part of the secrets estate, not an edge case.
A few things that frame the scale:
- The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to The 2024 State of Secrets Management Survey.
- 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.
A question worth separating out:
Q: Should organisations allow remote control features in AI coding assistants?
A: Only with re-authentication, scoped permissions, and explicit governance around what the live session can do. If a remote link inherits full local privileges, it becomes a bearer token for code execution and file access. That design is too close to privileged access to leave outside PAM-style controls.
👉 Read our full editorial: AI coding assistants are leaking credentials across predictable file paths