Yeah, guys. This is my bad. Got the same. Just relelased security update. This is was because json.config was was available for viewing from user's perspective. Very stupid mistake from me as an experienced dev...
ALready contacted with Mex, but not sure if it helps to get money back.
How much did you lose? Not sure, but maybe I can cover your loss.
Now your api keys are secured. (need to redownload and change .htaccess file).
P.S. Also, did you change default admin/pass?
I changed default admin and pass, but for the moment i took down the entire admin page from the server because i tried to access it from another device and it opened with full administrator rights. Hovering over the pay and delete buttons in the user list, the URL exposed admin name and password.
I only lost 5500 sat, it's nothing, i did not want to hold any serious amount in the wallet while i familiarized myself with the script, so the thief got just spare change.