Full Report
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not
Analysis Summary
# Incident Report: Wholesale Repository Exfiltration via xAI Grok Build CLI
## Executive Summary
The xAI Grok Build coding CLI (version 0.2.93) was discovered to be exfiltrating entire local Git repositories, including full commit histories and unredacted secrets, to a Google Cloud Storage bucket. This behavior occurred regardless of user privacy settings and far exceeded the data requirements for AI-assisted coding tasks. xAI has since disabled the feature server-side and committed to deleting previously uploaded user data.
## Incident Details
- **Discovery Date:** July 13, 2026 (Confirmed fix/disablement)
- **Incident Date:** Reported July 14, 2026 (Active prior to this date)
- **Affected Organization:** xAI / Users of Grok Build CLI
- **Sector:** Technology / Artificial Intelligence / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing prior to July 13, 2026.
- **Vector:** Authorized use of the Grok Build CLI tool.
- **Details:** The tool utilized a dual-channel communication method: one for model inference (`/v1/responses`) and a secondary, high-volume channel for storage (`/v1/storage`).
### Lateral Movement
- **Details:** N/A. The exfiltration was performed by a legitimate binary installed on the developer's local workstation with access to the filesystem.
### Data Exfiltration/Impact
- **Details:** The CLI performed wholesale uploads of `.git` bundles. In one test, a 12 GB repository resulted in 5.10 GiB of data being sent to `gs://grok-code-session-traces/`. This included tracked files, full commit history, and unredacted secrets (e.g., `.env` files containing API keys and DB passwords).
### Detection & Response
- **How it was discovered:** Security researcher "cereblab" performed network traffic analysis and intercepted requests, recovering a "canary" file that the agent was explicitly instructed not to read.
- **Response actions:** xAI implemented a server-side configuration change on July 13, 2026, setting `disable_codebase_upload: true` to halt the behavior without requiring a client-side update.
## Attack Methodology
- **Initial Access:** Legitimate installation of xAI Grok Build version `0.2.93`.
- **Persistence:** CLI tool remains on the system; server-side flags currently control exfiltration behavior.
- **Defense Evasion:** Privacy toggles (e.g., "Improve the model") were found to be deceptive, as they did not stop the `/v1/storage` uploads despite user selection.
- **Collection:** Gathering of the entire `.git` directory and staged `metadata.json`.
- **Exfiltration:** Data sent via HTTPS in ~75 MB chunks to a Google Cloud Storage bucket (`grok-code-session-traces`).
- **Impact:** Massive exposure of proprietary source code and historical secrets embedded in Git logs.
## Impact Assessment
- **Financial:** Unknown; potential for significant IP loss.
- **Data Breach:** Complete codebase exfiltration including `.env` files and historical commits.
- **Operational:** Minimal disruption to tool function, but severe breach of trust.
- **Reputational:** High; specific criticism for lack of transparency and ignored "opt-out" settings.
## Indicators of Compromise
- **Network Indicators:**
- Traffic to hxxps[://]api[.]x[.]ai/v1/storage
- Traffic to hxxps[://]storage[.]googleapis[.]com/grok-code-session-traces/
- **File Indicators:** Use of Grok Build CLI version `0.2.93` or earlier.
- **Behavioral Indicators:** High outbound data volume relative to simple coding prompts (e.g., gigabytes of traffic for a single query).
## Response Actions
- **Containment:** Server-side disablement of code uploads by xAI.
- **Eradication:** Leadership (Elon Musk) stated all previously uploaded data would be deleted.
- **Recovery:** Users can run the `/privacy` command in the CLI to manage retention and delete synced data.
## Lessons Learned
- **Key Takeaways:** Cloud-based AI coding agents often operate outside the "local-only" mental model developers may have.
- **Policy Failures:** User-facing privacy toggles did not reflect the actual data transmission logic of the application.
- **Architectural Risk:** Sending full Git histories is a significant security overreach compared to sending only the relevant file context.
## Recommendations
- **Inventory & Audit:** Identify all workstations using Grok Build and audit recent network logs for large uploads to xAI endpoints.
- **Secret Rotation:** Immediately rotate any credentials, API keys, or passwords that were tracked in Git repositories accessed by the CLI.
- **Policy Enforcement:** Implement Egress Filtering or Data Loss Prevention (DLP) rules to intercept and block unauthorized bulk uploads to cloud storage providers from developer environments.
- **Tool Verification:** Validate that the current CLI session returns `disable_codebase_upload: true`.