Programmer Humor

25056 readers

1151 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

[email protected]

198

DOGE Denizen Marko Elez Leaked API Key for xAI (lemmynsfw.com)

submitted 1 day ago* (last edited 1 day ago) by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

source

Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models (LLMs) developed by Musk’s artificial intelligence company xAI.

On July 13, Mr. Elez committed a code script to GitHub called “agent.py” that included a private application programming interface (API) key for xAI. The inclusion of the private key was first flagged by GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardian’s systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.

Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, said the exposed API key allowed access to at least 52 different LLMs used by xAI. The most recent LLM in the list was called “grok-4-0709” and was created on July 9, 2025.

top 2 comments

sorted by: hot top controversial new old

[–] [email protected] 13 points 1 day ago (1 children)

Idk if I missed it, but I don’t see any info about the repo itself besides the ‘agent.py’ file the key was committed to. Was the repo a government repo? Personal and public?

[–] [email protected] 22 points 1 day ago

I don't think an article writing for an audience that needs API defined is the place to get the finer details. Also, does it really matter? Keeping secrets out of the repo is pretty basic stuff, so there's a lack of fundamental information security awareness.

I'd bet all the monies that there's a bunch of unencrypted spreadsheets with enough data to steal millions of identities on some idiot's Google Drive or whatever, and a bunch of it's been shared with commercial LLMs without any of our consent. Our personal data's being handled less securely than the average corporate SharePoint site's plans for the next pizza party.