xAI API Key Leak Exposes Private SpaceX and Tesla LLMs

Key Takeaways

• An xAI developer leaked a private API key on GitHub, granting access to internal LLMs tailored for SpaceX, Tesla, and Twitter/X.
• The key provided access to unreleased and development Grok models, including those fine-tuned with sensitive SpaceX and Tesla data.
• The leak persisted for nearly two months before removal, despite initial alerts to the developer.
• GitGuardian and security researchers escalated the issue after no remediation, highlighting the importance of proactive secret scanning.
• xAI did not provide a public comment, and there is no evidence of malicious exploitation so far.

Timeline of the Incident

• March 2, 2025: GitGuardian detects the leak and alerts the xAI developer about the exposed API key. ¹
• April 26, 2025: Philippe Caturegli (Seralys) publicly discloses the leak on LinkedIn, tagging GitGuardian for technical validation and escalation. ²
• April 30, 2025: GitGuardian escalates the alert to xAI’s security team after no action. The key remains active.
• May 1, 2025: The GitHub repository containing the key is removed after external notification.

Technical Impact and Security Implications

The leaked API key was found in a public GitHub repository’s .env file. Using the exposed API key, researchers demonstrated that it granted access to unreleased and private Grok models, including those fine-tuned for SpaceX and Tesla ¹, ².

• The leaked API key enabled access to at least 60 datasets and multiple unreleased Grok models, including those fine-tuned for SpaceX and Tesla.
• Researchers warn that such access could allow attackers to:
  • Perform prompt injection attacks or manipulate model behavior
  • Attempt supply chain attacks via backend interfaces
  • Extract proprietary or sensitive information from LLMs
• The incident reveals gaps in secret management and response processes at high-profile AI companies.

Recommendations

Drawing from the incident and expert recommendations, organizations should:

• Implement automated secret scanning for all code repositories (public and private)
• Enforce rapid incident response and key rotation policies
• Limit API key permissions and monitor usage logs for anomalies
• Conduct regular security awareness training for developers

Final Thoughts

The xAI API key leak underscores the persistent risks of secret exposure in the AI sector, especially as LLMs are integrated into sensitive and proprietary workflows. Proactive security practices, transparent incident response, and ongoing developer education are essential to safeguard intellectual property and maintain trust in high-stakes industries.

Related Articles

• ScamNet uses the Llama‑3‑8B LLM to spot fraudulent e‑commerce sites with 95% accuracy via explainable AI
• AI Revolutionizes Cybersecurity Training: Meet ARCeR, the Intelligent Cyber Range Creator
• Vibe Coding with LLMs: Security Flaws and Real-World Risks Revealed