A security issue filed against Anthropic's Claude Code repository points to a data hygiene problem: the terminal-based AI coding assistant caches complete session histories to disk in plaintext, with no scrubbing of sensitive data that might appear during a session.
The problem is straightforward. When you work in Claude Code, everything that passes through the session - environment variables, API keys you paste in while debugging, database credentials, authentication tokens - gets written to a local cache file unredacted. That file persists after the session ends.
What Actually Gets Exposed
This isn't about a remote attack on Anthropic's servers. It's local exposure risk: anyone with access to your machine, malware scanning your home directory, or a backup tool that syncs your dotfiles to cloud storage could read your credentials verbatim from that cache.
Developers paste secrets into terminal sessions constantly. Debugging a broken API call usually ends with something like export API_KEY=sk-... followed by re-running the request. In most terminals, history can be cleared manually or is at least somewhat sandboxed. A plaintext cache with no secrets detection is a different attack surface entirely.
The risk compounds in shared environments. Claude Code running on shared dev machines, in CI pipelines, or on laptops that sync home directories across multiple devices means the exposure window is much larger than a single local machine.
The Fix Is Known, the Timeline Is Not
Secrets-scrubbing is a solved problem. Tools like trufflehog and git-secrets already pattern-match for API key formats, tokens, and credential strings. Anthropic could scan cached content before writing to disk and redact matches, encrypt the cache using the system keychain, or disable session caching by default and make it opt-in.
As of publication, no public response from Anthropic has appeared on the GitHub issue with a fix timeline. If you use Claude Code and have pasted credentials into a session, find the cache directory (typically ~/.claude/) and check what's stored there. Any credentials you find should be rotated immediately - a secret that has touched plaintext storage should be treated as compromised.