Marko Elez, a 25-year-old employee of Elon Musk’s Department of Government Efficiency (DOGE), inadvertently exposed a significant security vulnerability over the weekend. Elez published a private API key that granted access to various sensitive databases, including those belonging to the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. The implications of this leak raise serious concerns about the management of sensitive information by individuals in key government roles.
Image: Shutterstock, @sdx15.
On July 13, Elez inadvertently uploaded a script titled “agent.py” to GitHub, which contained the critical API key for Musk’s AI company, xAI. This exposure was initially detected by GitGuardian, a firm specializing in identifying and mitigating leaked credentials in both public and proprietary contexts. GitGuardian’s monitoring systems continuously scan repositories for compromised keys and generate alerts for affected users.
Philippe Caturegli, chief hacking officer at security consultancy Seralys, indicated that the exposed key provided access to at least 52 distinct large language models (LLMs) utilized by xAI. Notably, one of the most recent LLMs is “grok-4-0709,” launched on July 9, 2025. Grok, an AI chatbot designed by xAI and integrated into Twitter/X, relies on these models for its operations. Recent developments saw the Department of Defense planning to utilize Grok in a substantial contract valued at up to $200 million, highlighting the potential risks associated with such unguarded access.
Despite Elez’s swift removal of the repository in response to Caturegli’s notification, the API key remains functional as it has yet to be revoked. Caturegli expressed concern, stating, “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors.” This leakage amplifies the urgency for stringent operational security protocols, particularly in government roles with access to critical data.
Prior to his tenure at DOGE, Elez was involved with various other Musk ventures and had previously come under scrutiny for mishandling sensitive information at the Treasury. He resigned during an internal investigation over unencrypted personal data transmissions, in breach of agency policies. Despite controversies surrounding his social media engagement and calls for his dismissal, Elez was reinstated upon lobbying from upper management, leveraging connections with high-ranking officials.
The recent incident is not isolated, as other DOGE employees have also leaked internal API keys, thus exposing LLMs tailored for use within Musk’s enterprises, such as SpaceX and Tesla. Caturegli concluded, “One leak is a mistake, but repeated incidents indicate systemic negligence and highlight a problematic security culture.” Such vulnerabilities pose a compounded risk, engaging tactics listed in the MITRE ATT&CK framework, including initial access via credential exposure and possible privilege escalation through unregulated information access.
This exposure serves as a crucial reminder for organizations, particularly those in positions of power, to maintain rigorous security measures and implement comprehensive training programs on the importance of operational security, especially regarding sensitive data management. The gravity of the situation should prompt reflection on existing security practices and elevate the discourse around maintaining integrity within governmental operations and private sector partnerships.
