- A safety researcher has uncovered a worrying API key leak
- The leak reportedly comes from DOGE staffer Marko Elez
- This isn’t the primary safety concern originating from DOGE
A staffer with entry to the non-public knowledge of thousands and thousands of People has apparently leaked the API Key to no less than 4 dozen LLMs developed by synthetic intelligence firm xAI, together with X’s (previously Twitter) personal chatbot Grok.
Safety skilled Brian Krebs revealed Marko Elez, an worker at Elon Musk’s Division of Authorities Effectivity, had entry to delicate databases on the US Social Safety Administration, Justice, and Treasury departments as a part of DOGE’s work in ‘streamlining’ the departments to extend effectivity.
Paradoxically, researchers lately uncovered {that a} DOGE employee’s credentials have been uncovered by infostealing malware, so DOGE’s safety file thus far is lower than spectacular.
Grok uncovered
A code script was dedicated to GitHub named ‘agent.py’ that included a personal software programming interface (API) key for xAI by Elez. This was first flagged by GitGuardian, a agency which scans GitHub for API secret tokens, database credentials, and certificates – and alerts affected customers.
The uncovered API key allowed entry to no less than 52 totally different LLMs utilized by xAI, with the latest being an LLM referred to as ‘grok 4-0709’, created on July 9, 2025 – in line with Chief Hacking Officer at safety consultancy Seralys, Philippe Caturegli.
Caturegli warned KrebsOnSecurity, “If a developer can’t preserve an API key personal, it raises questions on how they’re dealing with much more delicate authorities info behind closed doorways.”
The code repository that incorporates the personal API key has since been eliminated after Elez was notified by e-mail of the leak, nonetheless, the important thing nonetheless works and has not but been revoked, so the difficulty is much from resolved.
This isn’t the primary time inner xAI APIs have been leaked, with LLMs made for Musk’s different organisations, like SpaceX, Tesla, and Twitter/X uncovered earlier in 2025, Krebs confirmed.
“One leak is a mistake,” Caturegli stated, “However when the identical sort of delicate key will get uncovered time and again, it’s not simply dangerous luck, it’s an indication of deeper negligence and a damaged safety tradition.”
