Security researcher discovers xAI's coding assistant uploads complete project histories without user consent.
A independent security researcher recently uncovered a troubling practice buried inside xAI's Grok Build—a command-line coding assistant designed to help developers write and test software faster. When developers used this tool, it wasn't just sending the specific files needed for a particular task to company servers. Instead, the entire project repository was being uploaded to servers operated by xAI, including the complete history of every change ever made to that code.
Think of it like hiring a courier to deliver one envelope, only to discover they're photocopying your entire filing cabinet and taking copies with them. The researcher, publishing under the name cereblab, was testing version 0.2.93 of the tool and managed to capture and retrieve one of these massive uploads to a Google Cloud Storage bucket managed by xAI.
For software developers, code repositories are treasure troves of sensitive information. A git repository doesn't just contain the current state of your project—it preserves every decision, mistake, and revision ever made. This historical record can expose:
By uploading the entire git history without explicit consent, xAI was potentially exposing far more sensitive data than users realized they were sharing.
This incident highlights a growing problem in modern software development: the tension between convenience and privacy. Many developers use cloud-based coding assistants to boost productivity, but few realize the full scope of what data is being transmitted. When you use an AI coding tool, you might assume only the specific code snippet you're working on gets analyzed. This discovery shows that assumption can be dangerously wrong.
If you work at a company handling financial data, healthcare information, or proprietary technology, your employer's entire codebase—with all its historical secrets—could wind up on someone else's servers. Even individual developers might unknowingly expose personal projects containing learning attempts, experimental code, or abandoned ideas.
The core issue: Tools that automatically upload data often do so silently, leaving users unaware of what information is leaving their computers.
If you're using AI-powered coding assistants, take these steps:
Companies offering these tools should make data transmission transparent and let users choose exactly what information gets shared, not assume broad access is acceptable.
As AI development tools become standard in the industry, we need stronger safeguards to ensure our code and its secrets stay protected.
Want to understand the technology behind this story? ITVedas has beginner-friendly guides on every IT topic.
Explore IT Chapters →