Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI coding assistant secrets leakage: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI desktop assistants and coding tools often store OAuth tokens, API keys, and MCP credentials in plaintext JSON at predictable locations, creating easy theft paths through malware, WSL exposure, extension abuse, and session hijacking, according to Netwrix. The core issue is not just exposure, but trust assumptions that let one readable file or session inherit far more access than governance teams expect.

NHIMG editorial — based on content published by Netwrix: Your AI coding assistant is leaking secrets

By the numbers:

Questions worth separating out

Q: How should security teams govern AI coding tools that store credentials locally?

A: Treat AI coding tools as part of the secrets estate, not just developer utilities.

Q: Why do AI assistants create more credential risk than traditional developer tools?

A: They often aggregate access to many external services in one workflow, then persist those credentials in predictable local files or sync them into shared environments.

Q: What breaks when AI tool credentials are stored as plaintext JSON?

A: Plaintext storage removes the protection that should exist between a local file read and reusable identity.

Practitioner guidance

  • Map every AI tool secret location Identify all credential files, keychain entries, sync paths, and environment-variable fallbacks used by AI coding assistants on Windows, macOS, Linux, and WSL.
  • Move MCP credentials out of inline JSON Replace inline tokens with secure references or runtime retrieval where the tool supports it, and block repository commits of .mcp.json and similar files.
  • Require re-authentication for remote sessions Treat remote control links as privileged access paths and force fresh authentication before accepting instructions, especially where shell execution or file writes are possible.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

  • Platform-by-platform credential storage paths for Claude Code, Copilot, Cursor, Cline, Continue.dev, and OpenClaw.
  • Examples of how remote control, VS Code SecretStorage, and WSL mounts change the exposure profile in practice.
  • Attack scenario breakdowns showing malware theft, session hijacking, malicious extensions, and MCP-based lateral movement.
  • Tool-specific mitigation notes such as OS keychain defaults, permission settings, and secret scanning gaps.

👉 Read Netwrix's analysis of AI coding assistant secret exposure →

AI coding assistant secrets leakage: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Predictable credential paths have created a new secret sprawl problem inside AI tooling. The issue is not that AI assistants need access, but that too many of them persist that access in files designed for convenience rather than governance. Once credentials sit in predictable JSON paths, the identity model collapses from controlled delegation to easily harvested shared secrets. Practitioners should treat AI desktop storage as part of the secrets estate, not an edge case.

A few things that frame the scale:

  • The average time to mitigate a leaked secret is 36 hours, highlighting the operational burden of manual remediation processes, according to The 2024 State of Secrets Management Survey.
  • 54% of organisations are dissatisfied with their current secrets management solution because not all secrets are secured, and 43% cite lack of central management.

A question worth separating out:

Q: Should organisations allow remote control features in AI coding assistants?

A: Only with re-authentication, scoped permissions, and explicit governance around what the live session can do. If a remote link inherits full local privileges, it becomes a bearer token for code execution and file access. That design is too close to privileged access to leave outside PAM-style controls.

👉 Read our full editorial: AI coding assistants are leaking credentials across predictable file paths



   
ReplyQuote
Share: