A developer accidentally committed their OpenClaw bot's private key to a public GitHub repository. An attacker discovered the key via automated scanning, recovered the wallet, and drained it of $200 within hours.
A developer building an OpenClaw bot stored the bot's wallet private key in a .env file. While pushing routine changes, a misconfigured .gitignore let the .env file through, exposing the key in a public repository. Automated scanners (of which many exist, tuned for exactly this pattern) detected the key within minutes of the push. The attacker recovered the associated wallet and drained the full $200 balance. Git-history rewrites after the discovery were too late — the key had already been copied by scanners. The $200 loss was small, but the incident serves as a canonical example of the supply chain between 'careless .gitignore' and 'drained wallet' taking minutes, not days.
AFFECTED USERS: ~1
ESTIMATED COST: $200
The Actual Culprit
A .gitignore that didn't match .env combined with no pre-commit secret scanner. Once a secret is pushed to a public repo, even briefly, it must be considered compromised.
gitleaks, trufflehog, and similar tools catch the vast majority of key leaks before they reach the remote. If you handle any kind of secret, install one.
Rewriting history does not help once scanners have copied the commit. Treat any secret that touched a public remote, even for seconds, as burned.
Loading comments...