xAI Dev Leaked API Key on GitHub for Private SpaceX, Tesla & Twitter/X

A significant security lapse occurred at Elon Musk’s artificial intelligence company xAI, where a developer inadvertently leaked a private API key on GitHub that remained accessible for nearly two months. 

The exposed credentials provided unauthorized access to private large language models (LLMs) specifically fine-tuned for SpaceX, Tesla, and Twitter/X internal operations, highlighting critical vulnerabilities in credential security practices even at high-profile technology companies.

The security incident was first discovered by Philippe Caturegli, Chief Hacking Officer at security consultancy Seralys, who publicized the leak on LinkedIn. 

Leaked xAI API Key Remained Active for Weeks

GitGuardian, a company specializing in detecting exposed secrets in code repositories, subsequently investigated the matter. 

Their automated scanning systems, which continuously monitor GitHub for sensitive credentials, identified the compromised API key on March 2, 2025.

KrebsOnSecurity reports that despite immediate notification to the xAI employee responsible for the leak, the API key remained active and usable until April 30, when GitGuardian escalated the matter directly to xAI’s security team. 

According to Eric Fourrier from GitGuardian, the company found that “the key had access to at least 60 distinct data sets” including several unreleased and developmental versions of Grok models.

The leaked API credentials could have been used to query private custom-trained models including “grok-2.5V” (unreleased), “research-grok-2p5v-1018” (development), and “grok-spacex-2024-11-04” (private).

These models appear to have been fine-tuned specifically for handling internal data from Musk’s corporate network.

“The associated account not only has access to public Grok models but also to what appears to be unreleased, development, and private models,” GitGuardian noted in their communication to xAI. 

The leak occurred through an environment variable file (.env) inadvertently committed to a public GitHub repository.

This type of security breach commonly happens when developers accidentally include credential files in their repositories. 

As one developer explained in discussions about the incident, “Developers write tests inside the repos and run the git add command without checking anything. They neither add anything to the ignore file, so many keys are constantly being pushed to GitHub”.

xAI did not provide public comment on the incident, and the repository containing the key was removed shortly after GitGuardian’s notification to the security team. 

Caturegli noted that such “long-lived credential exposure highlights weak key management and insufficient internal monitoring, raising questions about safeguards around developer access and broader operational security”.

The incident serves as a stark reminder of the critical importance of robust secret management practices, even at cutting-edge AI companies handling proprietary and sensitive data.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates

The post xAI Dev Leaked API Key on GitHub for Private SpaceX, Tesla & Twitter/X appeared first on Cyber Security News.