Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

A bug in Braintrust’s Claude Agent SDK instrumentation could record API keys passed through query({ options: { apiKey } }) in Braintrust trace metadata. See GitHub security advisory GHSA-h8xp-g5cq-35xw for the complete impact statement, affected versions, technical details, and workarounds.
Upgrade to braintrust v3.23.1 or later, then rotate every API key that may have been recorded. Upgrading prevents new exposure but does not remove keys from existing traces.

Frequently asked questions

Is my application affected?

Your application is affected only when all of these conditions apply:
  • It uses the braintrust JavaScript package v0.4.0 through v3.23.0.
  • It instruments the Anthropic Claude Agent SDK with wrapClaudeAgentSDK() or Braintrust auto-instrumentation.
  • It passes an API key directly through options.apiKey when calling query().
The security advisory includes the complete version and instrumentation details.

Were keys supplied through environment variables affected?

No. Keys supplied through process.env.ANTHROPIC_API_KEY were not captured. Values supplied through options.env were also not captured because the instrumentation did not include the env option in span metadata.

How do I check for affected traces?

Run this query in the SQL sandbox for each project that contains Claude Agent SDK traces. Replace <PROJECT_ID> with the project’s ID. The query identifies affected spans without returning API key values.
A row where contains_api_key is true confirms that a key was stored. Do not select metadata.apiKey or share raw affected span metadata in tickets, chat messages, or screenshots.

What should I do if the query returns affected traces?

  1. Upgrade the braintrust JavaScript package to v3.23.1 or later and redeploy your application.
  2. Revoke and replace every API key that may have been recorded.
  3. Update your application to use the replacement credentials.
Rotate affected credentials even if you plan to delete the traces. Deleting stored data cannot invalidate a credential that someone may already have viewed.

Was the npm package or publishing process compromised?

No. This issue was an implementation bug in Braintrust-maintained instrumentation, not a supply chain attack or a compromise of the npm package, build, or publishing process.