A staff member from the Department of Government Efficiency (DOGE) unintentionally exposed a private API key belonging to xAI, Elon Musk’s artificial intelligence company, prompting serious concerns about credential management and data security within federal systems.
The incident occurred when Marko Elez, a DOGE employee, uploaded a Python script (agent.py) to a public GitHub repository that included a hardcoded access key to xAI’s API. This key granted credentials to at least 52 of xAI’s large language models—including proprietary versions of Grok, the company’s advanced conversational AI.
The leak was discovered by GitGuardian, a cybersecurity firm that specializes in identifying sensitive data committed to source control platforms. Security researcher Philippe Caturegli of Seralys promptly alerted Elez to the exposure. While the key was removed shortly after notification, reports indicate that it remained active for a period before being revoked, leaving the AI infrastructure potentially exposed to unauthorized access.
Significant Security Implications
The leaked API key provided broad access to a suite of xAI models that could include unreleased or experimental versions, raising alarms over potential misuse. Adding to the gravity of the incident, Elez is reported to have clearance for highly sensitive government systems, including databases from the Departments of Justice, Homeland Security, and the Treasury, as well as the Social Security Administration.
Although there is no evidence that the key was used maliciously, the lapse underscores the critical need for improved cybersecurity protocols within public agencies—especially as artificial intelligence becomes more deeply integrated into government operations.
“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” said Philippe Caturegli, who first identified the breach.
