🇯🇵 Introducing Startale App Japan Edition
Offering a localized experience for managing digital assets across @ethereum and @soneium, Mini Apps exploration and more.
Get the latest JPYSC updates, discover new yield opportunities and early access to new features on Startale App.
I lost $3,000 in crypto to a phishing attack last week.
A friend's hacked account DM'd me a Zoom link. I clicked. Downloaded. Ran it. The "installer" was malware. Within minutes my hot wallet was drained.
But here's what was strange: not all of my wallets were touched. Several EOAs were untouched.
When I dug in, the difference was simple:
The wallets that survived had their private keys in macOS Keychain — locked behind OS authentication.
The wallet that got drained had its private key in a .env file. Plaintext. In a project directory.
The malware scanned my disk for SECRET/KEY patterns and grabbed everything in seconds.
This is the difference between "secure" and "convenient." And we all do it. PRIVATE_KEY=, DATABASE_URL=, STRIPE_KEY= sitting in plaintext .env files because .gitignore covers us. Until it doesn't.
So I built senv — an encrypted .env replacement, written in Rust.
• Same workflow: `senv -- cargo run`, `senv -- npm dev`
• Private key in OS Keychain (TouchID-locked on macOS)
• Vault encrypted with age (X25519 + ChaCha20-Poly1305)
• Single 2.5MB binary, no runtime
• Full TUI for editing + multi-recipient team sharing
• Open source, MIT/Apache-2.0
The model is dead simple:
`senv init` → mint an age keypair, private → Keychain, public → .env.age
`senv import .env` → encrypt every value
`senv -- <cmd>` → decrypt in memory only, inject to child process
That's it. No more plaintext keys on disk.
If you keep API keys, DB creds, or wallet private keys in .env files — encrypt them. Use senv, SOPS, 1Password CLI, dotenvx — anything. Just don't leave plaintext on disk.
Repo: https://t.co/1gNawGVjNE
Docs: English, 한국어, 日本語, 中文
I lost $3,000 in crypto to a phishing attack last week.
A friend's hacked account DM'd me a Zoom link. I clicked. Downloaded. Ran it. The "installer" was malware. Within minutes my hot wallet was drained.
But here's what was strange: not all of my wallets were touched. Several EOAs were untouched.
When I dug in, the difference was simple:
The wallets that survived had their private keys in macOS Keychain — locked behind OS authentication.
The wallet that got drained had its private key in a .env file. Plaintext. In a project directory.
The malware scanned my disk for SECRET/KEY patterns and grabbed everything in seconds.
This is the difference between "secure" and "convenient." And we all do it. PRIVATE_KEY=, DATABASE_URL=, STRIPE_KEY= sitting in plaintext .env files because .gitignore covers us. Until it doesn't.
So I built senv — an encrypted .env replacement, written in Rust.
• Same workflow: `senv -- cargo run`, `senv -- npm dev`
• Private key in OS Keychain (TouchID-locked on macOS)
• Vault encrypted with age (X25519 + ChaCha20-Poly1305)
• Single 2.5MB binary, no runtime
• Full TUI for editing + multi-recipient team sharing
• Open source, MIT/Apache-2.0
The model is dead simple:
`senv init` → mint an age keypair, private → Keychain, public → .env.age
`senv import .env` → encrypt every value
`senv -- <cmd>` → decrypt in memory only, inject to child process
That's it. No more plaintext keys on disk.
If you keep API keys, DB creds, or wallet private keys in .env files — encrypt them. Use senv, SOPS, 1Password CLI, dotenvx — anything. Just don't leave plaintext on disk.
Repo: https://t.co/1gNawGVjNE
Docs: English, 한국어, 日本語, 中文
I lost $3,000 in crypto to a phishing attack last week.
A friend's hacked account DM'd me a Zoom link. I clicked. Downloaded. Ran it. The "installer" was malware. Within minutes my hot wallet was drained.
But here's what was strange: not all of my wallets were touched. Several EOAs were untouched.
When I dug in, the difference was simple:
The wallets that survived had their private keys in macOS Keychain — locked behind OS authentication.
The wallet that got drained had its private key in a .env file. Plaintext. In a project directory.
The malware scanned my disk for SECRET/KEY patterns and grabbed everything in seconds.
This is the difference between "secure" and "convenient." And we all do it. PRIVATE_KEY=, DATABASE_URL=, STRIPE_KEY= sitting in plaintext .env files because .gitignore covers us. Until it doesn't.
So I built senv — an encrypted .env replacement, written in Rust.
• Same workflow: `senv -- cargo run`, `senv -- npm dev`
• Private key in OS Keychain (TouchID-locked on macOS)
• Vault encrypted with age (X25519 + ChaCha20-Poly1305)
• Single 2.5MB binary, no runtime
• Full TUI for editing + multi-recipient team sharing
• Open source, MIT/Apache-2.0
The model is dead simple:
`senv init` → mint an age keypair, private → Keychain, public → .env.age
`senv import .env` → encrypt every value
`senv -- <cmd>` → decrypt in memory only, inject to child process
That's it. No more plaintext keys on disk.
If you keep API keys, DB creds, or wallet private keys in .env files — encrypt them. Use senv, SOPS, 1Password CLI, dotenvx — anything. Just don't leave plaintext on disk.
Repo: https://t.co/1gNawGVjNE
Docs: English, 한국어, 日本語, 中文
SCARY FINDING: I built a scanner and found 77 LIVE OpenAI API keys exposed on GitHub in just 1 hour
Most don't even know they're leaking $$$ to attackers right now
Here's the breakdown 🧵👇
What you should do RIGHT NOW:
1. Check if YOUR keys are exposed: `sk-proj-` in your repos
2. Rotate ALL API keys (especially if you ever pushed to GitHub)
3. Enable GitHub Secret Scanning on your repos (free)
Repo link: https://t.co/5sdGBziOR1
Star it to save someone from a $$$ bill 💰
I built a free tool that automatically scans GitHub every hour and tracks exposed Codex keys
Features:
✅ Zero keys stored (metadata only)
✅ Auto-updating dashboard
✅ Notifies which repos are affected
✅ Completely open source
The code is LIVE right now 👇