logoalt Hacker News

lifthrasiiryesterday at 9:40 PM2 repliesview on HN

> exfiltrating user data (including env files, entire source code etc) which is what grok-build did here

I think env files are filtered out [1]. Anyway, the most suspicious code would be `upload_session_state` which is currently a stub function, though it is hard to say if it was only planned (badly) or has been removed as a damage control.

[1] https://github.com/xai-org/grok-build/blob/c1b5909ec707c069f...


Replies

threecheeseyesterday at 10:43 PM

It must have been removed, given that the initial evidence of the exfil specifically demonstrated .env files being included. And .ssh/* for the user which ran this in $HOME.

stefan_yesterday at 9:44 PM

No, those are directory names not uploaded. Here are the file names skipped:

https://github.com/xai-org/grok-build/blob/main/crates/codeg...

It's about not uploading compiled binary stuff, but they want all your environment data all the same.