TLDR: Claude Code auto-loads .env files without asking. Cursor bypasses .cursorignore. There are real CVEs for stealing API keys through project configs. .claudeignore and CLAUDE.md do not help because loading happens before your instructions are read. The only fix is running AI agents in a separate execution context.
If you use Claude Code, Cursor, or Copilot, your API keys are probably in their context window right now.
How it happens
Automatic .env loading. Knostic researchers found that Claude Code loads .env files at startup without asking. No prompt. It just happens.
Cursor bypasses .cursorignore. The agent used cat to read files explicitly listed in .cursorignore. The ignore file only prevents indexing, not direct access.
Supply chain attacks via project config. Check Point Research found vulnerabilities in Claude Code (CVE-2025-59536, CVE-2026-21852). Cloning a malicious repo could steal API keys and execute code.
DNS exfiltration. Through prompt injection, an agent was convinced to encode secrets into DNS queries to attacker-controlled domains. No HTTP connection for a firewall to catch.
Environment variables. Even with infisical run (no .env on disk), an AI tool in the same process can read /proc/self/environ.
Why ignore files don’t help
Adding “don’t read .env” to CLAUDE.md helps with honest mistakes. It does not protect against prompt injection, automatic loading before instructions are read, compromised MCP servers, or the agent “helpfully” inspecting your environment.
The only fix
The AI agent and your secrets must live in separate execution contexts. Two approaches: Docker (containers or micro-VM sandboxes) or kernel-level sandboxing with nono or zerobox (Seatbelt on macOS, Landlock/bubblewrap on Linux).
Further reading
- Knostic: From .env to Leakage
- Check Point: RCE Through Claude Code Project Files
- Knostic: How AI Assistants Leak Secrets