If you’ve ever seen a tutorial on vibe coding, you probably know that the first advice is to never hardcode sensitive keys into your apps. And while these mistakes are expected to be made by inexperienced builders, a major cybersecurity company shipping a product with an exposed key is a much bigger deal.
Recent reports say that Qihoo 360, one of the biggest cybersecurity companies from China, accidentally shipped a highly sensitive wildcard SSL private certificate inside the public installer for its 360 Security Claw AI assistant. The assistant is the company"s wrapper on OpenClaw, the viral open-source AI agent, and the godfather of all the new AI agentic tools with the “Claw” suffix. This oversight gives anyone who downloaded the software the exact master key needed to authenticate traffic on the company"s backend infrastructure.
Security researcher Lukasz Olejnik discovered the valid SSL certificate for the platform"s myclaw.360.cn domain sitting completely unprotected inside an uncompressed archive. You only need a basic extraction tool to unpack the installer and pull the private key right out of it. The certificate is valid until April 2027 and covers every subdomain on the platform.
China"s biggest cybersecurity company apparently just shipped an AI assistant with its own SSL private key sitting inside the installer. Qihoo 360, think Norton or McAfee, but dominant across the entire Chinese market
— Lukasz Olejnik (@lukOlejnik) March 16, 2026
It appears that their new AI product, 360安全龙虾 (Security… pic.twitter.com/LsLh4sro3C
To add insult to injury, Qihoo"s founder Zhou Hongyi launched the product with a public promise that it would "never leak passwords." The company currently serves around 461 million users and is valued at $10 billion.
Having a wildcard private key floating around the internet opens the door to serious infrastructure attacks. Malicious actors could use this leaked file to impersonate 360"s servers, intercept user traffic, or build incredibly convincing phishing pages that browsers will treat as completely legitimate. As a reminder, using legitimate certificates has been a growing trend in the cyber underworld lately. So, a company outright handing a key like this on a silver platter is a dream-come-true scenario for hackers.
The company has not officially responded to the incident or revoked the compromised key at the time of writing.