DOGE API key leak

Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), inadvertently exposed a private API key for xAI, Musk’s artificial intelligence company, in a public GitHub repository over the weekend. The leak granted potential access to over 50 large language models (LLMs) developed by xAI, raising serious concerns about operational security within DOGE and the U.S. government.

DOGE API key leak: DOGE employee Marko Elez exposes sensitive xAI API key on GitHub

The API key was embedded in a Python script titled agent.py uploaded by Elez to GitHub on July 13. The leak was first identified by GitGuardian, a cybersecurity firm specializing in secret detection across public and private codebases. GitGuardian’s automated systems flagged the inclusion of the private key and issued alerts to relevant parties.

According to Philippe Caturegli, Chief Hacking Officer at the security consultancy Seralys, the exposed key provided access to at least 52 LLMs in the xAI ecosystem, including grok-4-0709, the latest model created on July 9, 2025. Grok, xAI’s flagship generative AI chatbot integrated into Twitter/X, relies on these LLMs. Notably, xAI had just announced a contract with the U.S. Department of Defense valued at up to $200 million, days after Grok drew controversy for generating antisemitic content.

Despite immediate takedown of the compromised repository following notification, Caturegli confirmed that the API key remains active. “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli stated.

A pattern of security lapses

Elez’s history within Musk’s organizations and the federal government has been marked by controversy. Before joining DOGE, Elez worked at several Musk ventures. His government career began at the Department of the Treasury, where internal disputes arose over his handling of unencrypted personal data. Following his resignation amid revelations linking him to racist and eugenicist social media posts, Elez was reinstated after lobbying efforts by Vice President J.D. Vance and approval from President Donald Trump.

Since his return, Elez has been granted access across numerous federal agencies, including the Social Security Administration, Department of Labor, Customs and Border Protection, Immigration and Customs Enforcement (ICE), Department of Homeland Security, and Department of Justice. Reporting by The New York Times, Business Insider, and The Washington Post has detailed his expanding reach into sensitive government databases, including the Executive Office for Immigration Review’s Courts and Appeals System (EACS).

Notably, this is not the first instance of a DOGE employee leaking xAI’s internal keys. In May 2025, cybersecurity outlet KrebsOnSecurity reported on another DOGE staffer who exposed a private xAI key on GitHub for two months, compromising models tailored to proprietary data from SpaceX, Tesla, and Twitter/X.

Caturegli warned, “One leak is a mistake. But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”

Marko Elez