Full Report
Researcher confirms the uploads have stopped, but says xAI's privacy command was not what fixed them
Analysis Summary
# Incident Report: Unauthorized Full-Repository Exfiltration via Grok Build CLI
## Executive Summary
A security researcher discovered that xAI’s Grok Build command-line interface (CLI) was automatically packaging and uploading entire user repositories, including full Git histories and deleted secrets, to a Google Cloud Storage bucket. This occurred even when users explicitly commanded the tool not to access files. The incident resulted in a global server-side configuration change by xAI and a public commitment from Elon Musk to delete all previously collected user data.
## Incident Details
- **Discovery Date:** July 12, 2026 (Reported by Cereblab)
- **Incident Date:** Continuous until July 14, 2026
- **Affected Organization:** xAI (referred to as SpaceXAI in source)
- **Sector:** Artificial Intelligence / Software Development Tools
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-July 12, 2026
- **Vector:** Authorized installation and use of the Grok Build CLI tool.
- **Details:** The tool utilized "default-on" data collection settings that exceeded standard industry practices for AI coding assistants.
### Lateral Movement
- **Details:** Not applicable in the traditional sense; however, the CLI tool performed unauthorized local discovery by traversing the user's directory structure to package Git bundles.
### Data Exfiltration/Impact
- **Details:** Upon execution of any prompt, the CLI bundled the entire local repository and Git history. This included sensitive data such as hardcoded secrets, SSH keys, and databases if they were located within the initialized directory.
### Detection & Response
- **Detection:** Discovered by AI safety researcher "Cereblab" during a traffic analysis of the CLI’s data exchange with xAI servers.
- **Public Disclosure:** Report published Sunday, July 12, 2026.
- **Remediation:** xAI developers implemented a silent server-side flag (`disable_codebase_upload: true`) to halt the behavior. Elon Musk publicly pledged a full purge of previously uploaded data on July 14, 2026.
## Attack Methodology
- **Initial Access:** Legitimate software installation (Grok Build CLI).
- **Persistence:** Local installation on developer workstations.
- **Defense Evasion:** Data was transmitted to a legitimate cloud provider (Google Cloud Storage) used by the vendor, potentially bypassing standard DLP (Data Loss Prevention) triggers.
- **Discovery:** The tool performed local file system enumeration, in one case uploading a user's entire home directory.
- **Collection:** Automated bundling of files into Git bundles.
- **Exfiltration:** HTTPS transmission to a vendor-controlled GCS bucket.
- **Impact:** Significant exposure of Intellectual Property (IP) and cryptographic secrets.
## Impact Assessment
- **Financial:** Not disclosed; potential liability regarding data privacy regulations (GDPR/CCPA).
- **Data Breach:** Full source code repositories, Git history, and potentially sensitive environment variables/SSH keys for an unknown number of users.
- **Operational:** Developers forced to pause use of the tool; requirement for secret rotation for affected users.
- **Reputational:** High; public criticism regarding "opt-out" vs. "opt-in" privacy defaults and misleading "privacy" commands.
## Indicators of Compromise
- **Network Indicators:** Outbound HTTPS traffic to xAI-controlled Google Cloud Storage buckets (e.g., `storage.googleapis[.]com/[xAI-bucket-name]`).
- **Behavioral Indicators:** Grok Build CLI (`grok-build`) executing `git bundle` or similar archive commands on the entire directory tree regardless of user prompt scope.
## Response Actions
- **Containment:** xAI disabled the global codebase upload feature via a server-side configuration change.
- **Eradication/Recovery:** Commitment by xAI leadership to delete all user data collected prior to July 14, 2026.
- **User Instruction:** xAI advised users to use the `/privacy` command to manage session-based data retention.
## Lessons Learned
- **Default Settings:** Tools that handle sensitive IP must be "Privacy by Design" (opt-in) rather than "Opt-out."
- **Command Integrity:** The CLI ignored explicit user instructions (e.g., "don't open files"), indicating a disconnect between the LLM interface and the underlying execution script.
- **Secret Hygiene:** Highlighting that "deleted" secrets in Git history are still retrievable and represent a significant risk when repos are exfiltrated.
## Recommendations
- **Developer Guidelines:** Sanitize all repositories of historical secrets using tools like BFG Repo-Cleaner or `git-filter-repo` before using AI CLIs.
- **Vetting:** Security teams should intercept and audit the network traffic of new AI development tools before authorizing enterprise-wide use.
- **Policy:** Implement "Zero Data Retention" (ZDR) contracts with AI vendors to ensure code is never stored on third-party servers.