Blogg Utgåvor Problem Dokument Ladda ner Status Looking Glass Kontakta försäljning
Nätverk Motståndskraft Återställning Säkerhet Oföränderligt valv Manipuleringsskyddad granskning Priser
Utvecklare
UtvecklaröversiktCLI, SDK:er, webhooks InfrastrukturDocker, K8s, Terraform, CI/CD. AI-agenterClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP-verktygDatto, NinjaOne, ConnectWise, N-able. WebbläsartilläggAutofyll, enhetsbaserad inloggning, generator MobilapparInbyggt iOS och Android Claude CodeOmfattningsbaserade tokens CodexOpenAI-integration CursorAgentläge Hermes AgentHermes Agent från Nous Research OpenClawAgent-upplösare ImporteraFrån valfri lösenordshanterare
Resurser
Blogg Utgåvor Problem Dokument Ladda ner Status Looking Glass Kontakta försäljning
Lösningar
Konsument SMB Enterprise MSP
Språk
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Logga in Gratis för alltid Kom igång
Security Blog

Your AI Coding Assistant Just Read Your Wallet

#6

May 1, 2026 · By Marketing team

← All posts

Also in: 🇺🇸 English

AI coding tools read .env files before you type anything. Your API keys — each one a credit card without a spending limit — are in someone else's context window before you write your first prompt. The problem isn't the AI. The problem is that secrets are files.

Open your AI coding assistant. Before you type a single character, it has already read your project directory. Your .env file. Your API keys. Your database password. Your Stripe secret key.

You didn't ask it to. You didn't approve it. It's a feature, not a bug — the tool needs project context to be useful. So it reads everything a developer can read.

And a developer can read everything.

The greentext version

A post made the rounds this week, written as a developer's internal monologue:

> Open Claude Code. Your .env gets read before you type anything. Your API keys are now in the chat. You add "don't read .env" to CLAUDE.md. Doesn't work.

380,000 people saw that post. 2,700 bookmarked it. Not because it was news — because it was a mirror.

Every developer reading it had the same thought: that's my setup.

Instructions don't work

The first thing people tried was writing rules. "Do not read .env files." In CLAUDE.md, in AGENTS.md, in system prompts. Direct, explicit prohibitions.

The tool read the files anyway.

This makes sense once you think about it. The file is read as part of building project context — before instructions are even processed. Telling the model not to read a file it already read is like telling someone to forget what they just saw. The information is in the context window. It's been transmitted. The instruction arrives after the damage.

One researcher found that even file-level deny rules could be circumvented through custom scripts or pipe chains. Another discovered elevated proxy bills because their HTTP_PROXY credentials were being automatically loaded and used.

The money in your .env

People frame this as a privacy issue. It's a financial one.

Open a typical .env file in a production project:

OPENAI_API_KEY=sk-...
STRIPE_SECRET_KEY=sk_live_...
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...
DATABASE_URL=postgresql://user:pass@...

That OpenAI key is a credit card with no spending limit and no PIN. Someone with that string can run $40,000 in API calls overnight. The Stripe key can issue refunds, create charges, access customer payment data. The AWS credentials — depending on the IAM policy, which is almost certainly too broad — can spin up GPU instances, access S3 buckets, or delete infrastructure.

This isn't a list of passwords. It's a list of wallets, each with a different balance and no lock.

29 million wallets on the sidewalk

GitGuardian's latest report counted 28.6 million secrets exposed in public GitHub commits in 2025. A 34% jump from the year before, and the largest annual increase they've ever measured.

The AI-specific numbers are worse. 1.2 million AI-service secrets exposed — an 81% year-over-year spike. Commits co-authored by AI coding tools leaked secrets at roughly double the baseline rate. And 24,000 unique secrets were found in MCP configuration files — the plumbing that connects AI agents to external services.

Twelve of the top fifteen fastest-growing leaked secret types were AI services. Not databases. Not cloud providers. AI services.

The tools we're using to write code faster are leaking the keys to the systems that code connects to.

The real problem

The developer who posted that greentext thread ended with a practical fix — a settings.json config that blocks file reads. That works. For now, for that tool.

But the real problem isn't Claude Code or Cursor or Copilot. The real problem is that secrets are files.

A .env file is a plaintext document sitting on disk, readable by any process running as your user. Before AI coding tools, the processes reading your project were git, npm, node, your editor. You trusted them implicitly. You didn't think about the fact that your secrets were one cat command away from exposure.

AI coding tools just made the implicit explicit. They read your project the same way every other tool does — they just happen to send the context somewhere you can see it.

Your CI pipeline reads .env files too. Your test runner does. Your linter does. Your Docker build does. None of them asked permission either. You just didn't notice because they didn't show you a chat transcript of what they found.

The pattern underneath

70% of secrets leaked in 2022 are still active today. Not rotated. Not revoked. Still working, still granting access, three years later.

This is the real number. Not 29 million leaks — 70% never fixed. Because rotating a key means finding every system that uses it, updating every deployment, testing every integration. The key was created once, pasted into a .env file, and never thought about again. The cost of leaking it is instantaneous. The cost of fixing the leak is unbounded.

So most organizations don't fix it. They can't. They don't know which keys are where, which are still active, which have been copied into other .env files on other machines by other developers who needed to get a feature working on a Friday afternoon.

What this actually means

Every .env file is a bet. A bet that no process will ever read it that shouldn't. A bet that no tool will ever send it somewhere unexpected. A bet that no developer will ever commit it by accident.

29 million times last year, someone lost that bet. On public GitHub alone. The private repos — where GitGuardian found secrets in 35% of repositories — aren't even counted.

The fix isn't a settings.json rule. The fix isn't a .gitignore entry. The fix isn't writing "DO NOT READ .ENV" in all caps in your instructions file.

The fix is that the secret shouldn't be there in the first place. Not in a file. Not in an environment variable loaded from a file. Not in any form that a process with your permissions can read by doing what processes do: reading files in your project directory.

If the secret is on disk, it will be read. The only question is when, and by what.

---

Sources