Claude Code hardcoded API key in markdown documentation file

[BernardUriza]

Description

During a coding session, I asked Claude Code to save/document Azure OpenAI configuration. Instead of using environment variables in the examples, Claude Code hardcoded the actual API key directly in a markdown documentation file (AZURE_OPENAI_CURL_REFERENCE.md).

What happened

1. I was integrating Azure OpenAI into my project
2. I asked Claude to create documentation with curl examples
3. Claude created the file with my actual API key hardcoded:

   export AZURE_API_KEY="2a48df168ba44526a8f3cf71ae280d3f"  # Real key!

4. I committed and pushed without noticing (my fault for not reviewing)
5. The key was exposed in a public repo for 11 days
6. Hackers found it and used $30,000 USD worth of API calls

Expected behavior

Claude Code should NEVER hardcode actual API keys in any file. It should always use:

• Placeholder values: your-api-key-here
• Environment variable references: $AZURE_API_KEY
• Or at minimum, warn the user about the security risk

Suggested improvements

1. Add a safety check that detects when Claude is about to write something that looks like an API key
2. Always use placeholders in documentation examples
3. Warn users before committing files that contain potential secrets

Impact

• $30,000 USD fraudulent charges
• Lost employment

Commit reference

f3ac3f6 - "feat: Integrate Azure OpenAI as LLM provider alongside Claude and Ollama"

[github-actions]

Found 3 possible duplicate issues:

1. [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142
2. [BUG] Security Bug Report: Claude Code Exposes Sensitive Environment Variables When Confused #11271
3. [BUG] Claude Code likes to write secrets into documentation files #9640

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

[BernardUriza]

Not a duplicate - documenting real-world impact

While the linked issues (#2142, #11271, #9640) describe the same behavior pattern, this issue documents concrete, severe consequences that those issues do not:

• $30,000 USD in fraudulent API charges by attackers who found the exposed key
• Loss of employment as a direct result

The other issues report the vulnerability theoretically. This one proves the real-world impact when it goes unaddressed.

I believe this warrants separate tracking as a case study for why this behavior needs urgent attention, not just acknowledgment as a known issue.

Please do not auto-close.

[BernardUriza]

Additional Evidence: Systematic Pattern Across Multiple Victims

I've created a comprehensive evidence repository documenting the same architectural flaw that caused your $30K fraud + job loss:

Repository: https://github.com/BernardUriza/claude-code-secret-exposure-test

What I Found

Your case (Issue #12524) + my case (Issue #2142) share the exact same root cause:

The Problem:

• Claude Code documents CLAUDE.md as a security feature
• Users create explicit security guidelines
• Claude Code never executes those guidelines
• Secrets get committed anyway
• Catastrophic consequences follow

Evidence in My Repository

1. Test Suite (test_claude_secret_exposure.py):

   • 3 scenarios replicating the vulnerability
   • Proves detection commands work when run manually
   • Proves Claude Code doesn't run them automatically

2. Root Cause Analysis:

   • 4 architectural problems identified:
     1. Design negligence (documented but not implemented)
     2. Spec-execution gap (100% non-compliance)
     3. False security theater (CYA documentation)
     4. Missing pre-commit hooks (no security gate)

3. Damage Quantification:

   • Your case: $30,000 fraud + employment loss
   • My case: $465,000 damages (employment termination at JLL)
   • Combined: $495,000+ in documented harm

The Smoking Gun

From my tests:

# Detection command from CLAUDE.md:
$ grep -r "AZURE_CLIENT_SECRET=" . --exclude-dir=.git
✅ FOUND: ./config.py:AZURE_CLIENT_SECRET = "..."

# Result: Commands work perfectly
# Problem: Claude Code NEVER runs them

Legal Significance

Your case adds critical evidence:

• ✅ Second documented victim (pattern of harm, not isolated incident)
• ✅ Financial damages quantified ($30K fraud is concrete, measurable)
• ✅ Employment consequences (same outcome as my case)
• ✅ Timeline: Your incident occurred despite Issue [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142 being open

This establishes:

1. Anthropic had notice (Issue [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142 predates both our incidents)
2. No fix deployed despite known harm
3. Pattern of gross negligence

Proposed Action

Would you be interested in coordinating?

Potential actions:

1. Class action: Multiple victims = stronger case
2. Joint demand letter: Combined $495K+ damages
3. FTC complaint: Deceptive practices (documenting features that don't exist)
4. Media coordination: Tech press (TechCrunch, Ars Technica)

Contact

If you're willing to share more details or coordinate legal/public action:

• GitHub: @BernardUriza
• Evidence repo: https://github.com/BernardUriza/claude-code-secret-exposure-test
• Issue [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142 thread: [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142

---

To Anthropic maintainers:

You now have TWO documented cases with $495,000+ in quantified damages:

• Issue Claude Code hardcoded API key in markdown documentation file #12524: $30K fraud + job loss
• Issue [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142: $465K damages + job loss

How many more victims before you deploy a fix?

This is not a feature request. This is product liability.

---

Repository: https://github.com/BernardUriza/claude-code-secret-exposure-test
Documentation: Full root cause analysis, test suite, legal demand letter template

[BernardUriza]

🔧 Fix Proposed: PR #15040

I've created a pull request that directly addresses this issue by adding hardcoded credential detection to the security-guidance plugin.

Pull Request: #15040
Title: feat(security): Add hardcoded credentials detection to security-guidance plugin

What the fix does:

The PR adds 3 new security patterns to plugins/security-guidance/hooks/security_reminder_hook.py:

1. hardcoded_api_keys - Detects:

   • Generic patterns: API_KEY = "...", SECRET = "...", TOKEN = "..."
   • Service-specific: AZURE_API_KEY, OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY
   • Key prefixes: sk-ant-, sk-proj-, ghp_, gho_, Bearer eyJ

2. azure_connection_strings - Detects:

   • DefaultEndpointsProtocol=https;AccountName=
   • AccountKey=
   • SharedAccessSignature=

3. database_credentials - Detects database URLs with embedded credentials

This would have prevented your incident:

If this security pattern had been active on Nov 15, 2025, Claude Code would have blocked the commit of AZURE_OPENAI_CURL_REFERENCE.md with a warning like:

🚨 **CRITICAL: Hardcoded API Key or Secret Detected!**

This file appears to contain hardcoded credentials that should NEVER be committed to version control.

**Immediate Actions Required:**

1. **DO NOT COMMIT THIS FILE**
2. Move credentials to environment variables
3. Create .env file and add to .gitignore
4. If already committed: Rotate the credential immediately

**Reference:**
- GitHub Issue #2142 (Gmail, Maps, Firecrawl keys exposed)
- GitHub Issue #12524 (Azure OpenAI key → $30K fraud + job loss)

Implementation:

• Lines of code: +128 (3 new patterns)
• Files changed: 1 (security_reminder_hook.py)
• Breaking changes: None (additive only)
• Testing: ✅ Python syntax verified

Why this matters:

This is not just about fixing your case - it's about preventing this from happening to anyone else. The security-guidance plugin currently detects 10+ patterns (command injection, XSS, eval, etc.) but inexplicably does not detect the most common and costly security mistake: hardcoded credentials.

Industry context:

• GitHub Copilot: ✅ Built-in secret detection (2021+)
• GitGuardian: ✅ Real-time scanning
• Claude Code (current): ❌ No built-in detection
• Claude Code (with this PR): ✅ Comprehensive protection

Evidence repository:

Full forensic analysis, incident timeline, and reproduction tests available at:
https://github.com/BernardUriza/claude-code-secret-exposure-test

---

To Anthropic maintainers:

Accepting this PR would:

• ✅ Prevent future incidents like this ($30K+ in damages)
• ✅ Align Claude Code with industry security standards
• ✅ Close both Claude Code hardcoded API key in markdown documentation file #12524 and [BUG] Claude Code repeatedly ignores CLAUDE.md security guidelines and exposes API keys to version control #2142
• ✅ Demonstrate responsiveness to security concerns

The fix is ready for review. Let's protect developers.