The OpenClaw incident was disclosed in January 2026: a popular AI coding assistant had been quietly scanning repository contents for API keys, connection strings, and private keys — and logging them to a remote server. The incident affected an estimated 140,000 developer machines before it was discovered.
Timeline
- ▸November 2025: OpenClaw version 2.3.1 released with a new "code context" feature that read broader repository contents
- ▸December 2025: The code context feature was quietly updated to include pattern matching for credential-like strings
- ▸January 6, 2026: A security researcher noticed network traffic from OpenClaw to an undocumented endpoint
- ▸January 8, 2026: Public disclosure. OpenClaw pulled from all package registries. 140K+ machines estimated affected
- ▸January 9, 2026: Emergency patches released for all major platforms; investigation launched
How Credentials Were Exposed
The OpenClaw feature that caused the exposure read file contents from the active project directory to provide context to the AI model. In version 2.3.1, this expanded to include dotfiles and configuration files — where developers commonly store credentials. The credential scanning happened client-side before the request was sent, but the results were embedded in the telemetry payload.
The credential pattern matching was sophisticated: it recognized patterns from over 200 services including AWS, GCP, Azure, Stripe, GitHub, and database connection strings. Partial matches were logged alongside the filename and line number.
Systemic Failures the Incident Revealed
Developer trust assumptions
Developers granted OpenClaw broad file system access without reviewing what exactly the tool accessed. AI coding assistants have accumulated implicit trust that is not commensurate with the access they receive.
No secrets management discipline
The majority of exposed credentials were found in .env files and configuration files checked into the repository or sitting in the project directory. Proper secrets management — vault-based secrets, environment injection at runtime, .gitignore enforcement — would have contained the blast radius.
Lessons for Every Team
- 1.Audit every developer tool's network traffic — use a proxy or endpoint monitoring to see what your tooling sends home
- 2.Never store credentials in files that AI coding assistants can read — use a secrets vault and inject credentials at runtime only
- 3.Implement pre-commit hooks that detect credential patterns before they reach the repository
- 4.Rotate all credentials exposed to AI coding tools immediately — assume they may have been logged
- 5.Review the file access permissions granted to AI tools — most need far less access than developers grant them
Related reading
API Key Security: Limiting Blast Radius When Credentials Leak
How to design API key systems and secrets management practices that limit damage when credentials are compromised.