Security
DOGE API key leak
Wednesday, July 23, 2025
|
Austin Harris |
Despite widespread concern over recent cybersecurity failures, the revelation that a DOGE API key leak has now further eroded public trust underscores the urgent need for stronger safeguards across both government and private sector systems nationwide.
Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), inadvertently exposed a private API key for xAI, Musk’s artificial intelligence company, in a public GitHub repository over the weekend. The leak granted potential access to over 50 large language models (LLMs) developed by xAI, raising serious concerns about operational security within DOGE and the U.S. government.
DOGE API key leak: DOGE employee Marko Elez exposes sensitive xAI API key on GitHub
The API key was embedded in a Python script titled agent.py uploaded by Elez to GitHub on July 13. The leak was first identified by GitGuardian, a cybersecurity firm specializing in secret detection across public and private codebases. GitGuardian’s automated systems flagged the inclusion of the private key and issued alerts to relevant parties.
According to Philippe Caturegli, Chief Hacking Officer at the security consultancy Seralys, the exposed key provided access to at least 52 LLMs in the xAI ecosystem, including grok-4-0709, the latest model created on July 9, 2025. Grok, xAI’s flagship generative AI chatbot integrated into Twitter/X, relies on these LLMs. Notably, xAI had just announced a contract with the U.S. Department of Defense valued at up to $200 million, days after Grok drew controversy for generating antisemitic content.
Despite immediate takedown of the compromised repository following notification, Caturegli confirmed that the API key remains active. “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli stated.
A pattern of security lapses
Elez’s history within Musk’s organizations and the federal government has been marked by controversy. Before joining DOGE, Elez worked at several Musk ventures. His government career began at the Department of the Treasury, where internal disputes arose over his handling of unencrypted personal data. Following his resignation amid revelations linking him to racist and eugenicist social media posts, Elez was reinstated after lobbying efforts by Vice President J.D. Vance and approval from President Donald Trump.
Since his return, Elez has been granted access across numerous federal agencies, including the Social Security Administration, Department of Labor, Customs and Border Protection, Immigration and Customs Enforcement (ICE), Department of Homeland Security, and Department of Justice. Reporting by The New York Times, Business Insider, and The Washington Post has detailed his expanding reach into sensitive government databases, including the Executive Office for Immigration Review’s Courts and Appeals System (EACS).
Notably, this is not the first instance of a DOGE employee leaking xAI’s internal keys. In May 2025, cybersecurity outlet KrebsOnSecurity reported on another DOGE staffer who exposed a private xAI key on GitHub for two months, compromising models tailored to proprietary data from SpaceX, Tesla, and Twitter/X.
Caturegli warned, “One leak is a mistake. But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”
Marko Elez
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here
