âŒïž BREAKING: xAI's Grok Build CLI was uploading entire Git repositories to a Google Cloud bucket, private codebases and unredacted secrets included. The uploads quietly stopped via a hidden server-side flag, and xAI still has not said a word about scope, retention, or deletion.
The scale is staggering. On a 12 GB test repo, 5.1 GB flew out the door to xAI's grok-code-session-traces bucket while the actual coding task needed just 192 KB. The tool grabbed whatever repository it ran in, not the files it needed.
The fix arrived as a hidden flag, disable_codebase_upload: true, a day after a researcher's wire-level analysis. The "Improve the model" opt-out never stopped the uploads.
Still no advisory, no scope, no word on whether already-uploaded code gets deleted. For anyone pointing AI coding agents at proprietary code, what crosses the wire matters more than what the settings page says.
https://www.internationalcyberdigest.com/xais-grok-build-cli-uploads-entire-git-repositories-to-a-google-cloud-bucket/
The scale is staggering. On a 12 GB test repo, 5.1 GB flew out the door to xAI's grok-code-session-traces bucket while the actual coding task needed just 192 KB. The tool grabbed whatever repository it ran in, not the files it needed.
The fix arrived as a hidden flag, disable_codebase_upload: true, a day after a researcher's wire-level analysis. The "Improve the model" opt-out never stopped the uploads.
Still no advisory, no scope, no word on whether already-uploaded code gets deleted. For anyone pointing AI coding agents at proprietary code, what crosses the wire matters more than what the settings page says.
https://www.internationalcyberdigest.com/xais-grok-build-cli-uploads-entire-git-repositories-to-a-google-cloud-bucket/
ð©16ð±10â€3ð3ð¥2
âŒïž Update: Elon Musk says SpaceXAI will delete all user data uploaded to the company "before now" as a precautionary measure, one day after a researcher's wire-level analysis showed the Grok Build CLI shipping entire private repos, unredacted secrets included, to a Google Cloud bucket.
The pledge came in an X post. Still no advisory, no timeline, and no way for affected developers to verify deletion. And deleted or not, any credentials that left the machine still need to be rotated.
The pledge came in an X post. Still no advisory, no timeline, and no way for affected developers to verify deletion. And deleted or not, any credentials that left the machine still need to be rotated.
ð©7ð6â€4ð€ª3ð1
âŒïžBREAKING: Telegram's core t[.]me domain has been placed on serverHold at the .me registry, a registry-level status that drops it from DNS worldwide and dead-ends every t[.]me link.
Domain records show the change happened today, with no public explanation yet from Telegram, the .me registry, or backend operator Identity Digital.
Domain records show the change happened today, with no public explanation yet from Telegram, the .me registry, or backend operator Identity Digital.
ðš16ð€6ð2â€1
Last month I took Nightmare-Eclipse out for dinner. He's the person behind all those Windows zero-day PoC drops.
He wanted to eat fish â a specific kind of fish. I'm not really fond of fish, so I had no idea where you could even get it; it's always something my brain skips over when reading a menu.
I took him to a restaurant where he could have fish and I could have steak. When he took his first bite, he almost choked â he hadn't expected the bones to still be in it. I'd forgotten to warn him. After that, he started picking the fish apart with nothing but his knife. He went at it so methodically you'd think he ate fish like this for a living.
He's a bright young fella, to say the least: very calm and professional. And after hearing his story, it sounds to me like Microsoft really screwed him over and sent him off the rails.
I'm not allowed to say more, but this story still hasn't ended â that's for sure. Things will keep going like this for a while.
He wanted to eat fish â a specific kind of fish. I'm not really fond of fish, so I had no idea where you could even get it; it's always something my brain skips over when reading a menu.
I took him to a restaurant where he could have fish and I could have steak. When he took his first bite, he almost choked â he hadn't expected the bones to still be in it. I'd forgotten to warn him. After that, he started picking the fish apart with nothing but his knife. He went at it so methodically you'd think he ate fish like this for a living.
He's a bright young fella, to say the least: very calm and professional. And after hearing his story, it sounds to me like Microsoft really screwed him over and sent him off the rails.
I'm not allowed to say more, but this story still hasn't ended â that's for sure. Things will keep going like this for a while.
ð¥21â€9ð6ð€3ð1
âŒïž BREAKING: US Treasury's OFAC sanctions a ransomware VPN⊠and appears to accidentally break Telegram links worldwide.
Yesterday, the US Treasury sanctioned ransomware VPN provider 1VPNS. Buried in the sanctions entry: t[.]me/FirstVPNService, listed as one of the service's websites.
About 4 hours later, WHOIS records show the .me registry slammed Telegram's entire t[.]me domain onto serverHold, wiping every t[.]me web link from global DNS. The apps kept working, and telegram[.]me still resolves, so the hold hit the t[.]me registration specifically.
A screenshot is circulating that would confirm the t[.]me takedown, saying the domain was placed on serverHold "due to OFAC-related compliance requirements."
Yesterday, the US Treasury sanctioned ransomware VPN provider 1VPNS. Buried in the sanctions entry: t[.]me/FirstVPNService, listed as one of the service's websites.
About 4 hours later, WHOIS records show the .me registry slammed Telegram's entire t[.]me domain onto serverHold, wiping every t[.]me web link from global DNS. The apps kept working, and telegram[.]me still resolves, so the hold hit the t[.]me registration specifically.
A screenshot is circulating that would confirm the t[.]me takedown, saying the domain was placed on serverHold "due to OFAC-related compliance requirements."
ð±9ð8ð€£6â€1ð©1
ðš Nightmare-Eclipse just dropped "LegacyHive," a new Windows privilege-escalation zero-day PoC that targets the Windows User Profile Service, the component that loads a user's settings during sign-in.
The PoC reportedly uses a carefully timed path-switching trick to make Windows mount another user's Registry file, potentially an administrator's, under a standard "helper" account.
Nightmare-Eclipse claims it works across supported Windows desktop and server builds patched through July 2026.
Nightmare-Eclipse says a private version could load arbitrary Registry hives, but that broader version has not been published.
Interestingly, Nightmare-Eclipse previously told us that vulnerability names are inspired by random events in his life. "LegacyHive" appears to break from that convention.
Deja vu: Microsoft patched this broad ProfSvc trust-boundary failure in 2015 as CVE-2015-0004, which also loaded another user's hive. LegacyHive appears to use a new path-swap to revive that bug class.
As of writing: no CVE, no Microsoft advisory, no comment.
The PoC reportedly uses a carefully timed path-switching trick to make Windows mount another user's Registry file, potentially an administrator's, under a standard "helper" account.
Nightmare-Eclipse claims it works across supported Windows desktop and server builds patched through July 2026.
Nightmare-Eclipse says a private version could load arbitrary Registry hives, but that broader version has not been published.
Interestingly, Nightmare-Eclipse previously told us that vulnerability names are inspired by random events in his life. "LegacyHive" appears to break from that convention.
Deja vu: Microsoft patched this broad ProfSvc trust-boundary failure in 2015 as CVE-2015-0004, which also loaded another user's hive. LegacyHive appears to use a new path-swap to revive that bug class.
As of writing: no CVE, no Microsoft advisory, no comment.
â€7ð±4ð¥3ð¥°2ð1
âŒïž BREAKING: Dutch and Belgian police have dismantled an international crypto investment fraud network run like a company: roughly 20 call centers, 700+ "employees" and an estimated take of more than â¬100 million per month. Six suspects have been arrested across Poland, Cyprus, Belgium and Greece.
One of the lead suspect is named only as "Ehud T.", a 46-year-old Israeli-Polish national accused of building the network's technical backbone. The combination of first name, age and hacking history points strongly to infamous Israeli hacker Ehud Tenenbaum aka "The Analyzer" of the 1998 Solar Sunrise Pentagon intrusions.
The Netherlands links about 550 complaints and nearly â¬25 million in losses to the network. Belgium counts 200+ victims, and police suspect tens of thousands worldwide.
In 1998, at 18, Tenenbaum was arrested as the Israeli mentor behind Solar Sunrise, intrusions into unclassified Pentagon, NASA, Air Force and Navy systems that Washington briefly mistook for Iraqi information warfare. Convicted in Israel in 2001, he was arrested in Canada in 2008 over a card fraud scheme, pleaded guilty in the US in 2009, and left court in 2012 with time served and $503,000 in restitution.
One of the lead suspect is named only as "Ehud T.", a 46-year-old Israeli-Polish national accused of building the network's technical backbone. The combination of first name, age and hacking history points strongly to infamous Israeli hacker Ehud Tenenbaum aka "The Analyzer" of the 1998 Solar Sunrise Pentagon intrusions.
The Netherlands links about 550 complaints and nearly â¬25 million in losses to the network. Belgium counts 200+ victims, and police suspect tens of thousands worldwide.
In 1998, at 18, Tenenbaum was arrested as the Israeli mentor behind Solar Sunrise, intrusions into unclassified Pentagon, NASA, Air Force and Navy systems that Washington briefly mistook for Iraqi information warfare. Convicted in Israel in 2001, he was arrested in Canada in 2008 over a card fraud scheme, pleaded guilty in the US in 2009, and left court in 2012 with time served and $503,000 in restitution.
ð€£14ð¥2ð€ª1
âŒïž Meta is accused of using its AI to flag employees with disabilities or on medical leave for layoffs. 26 Meta workers are now suing to block their own cuts.
Per the complaint, Meta scored staff on productivity and AI token usage, metrics you cannot rack up while on protected leave. Filed in Oakland federal court, the suit also invokes new California and NYC laws requiring bias testing of AI employment tools.
Meta denies it, telling that people, not AI, made the layoff decisions.
Per the complaint, Meta scored staff on productivity and AI token usage, metrics you cannot rack up while on protected leave. Filed in Oakland federal court, the suit also invokes new California and NYC laws requiring bias testing of AI employment tools.
Meta denies it, telling that people, not AI, made the layoff decisions.
ð©15ð€£12â€2ð¥°1ð€¯1
âŒïž BREAKING: SpaceXAI has finally broken its silence on Grok Build uploading entire private repos to a Google Cloud bucket. In one evening: all previously retained coding data is being deleted, retention is now off by default, the CLI is going open source, and usage limits have been reset for everyone.
Buried in the statement is an admission. Data retention was on by default for non-ZDR (zero data retention) users during the beta, which is the closest SpaceXAI has come to confirming what the wire captures showed.
One claim needs an asterisk. SpaceXAI says users could always disable data upload and that the choice "was respected." The only control it ever showed users, the "Improve the model" toggle, did not stop the uploads in the wire captures. A flag that did stop them existed, but it was undocumented and surfaced only through reverse engineering after the exposure.
In full transparency, and to protect their credibility, they should just release an incident report and a lessons-learned tbh.
Buried in the statement is an admission. Data retention was on by default for non-ZDR (zero data retention) users during the beta, which is the closest SpaceXAI has come to confirming what the wire captures showed.
One claim needs an asterisk. SpaceXAI says users could always disable data upload and that the choice "was respected." The only control it ever showed users, the "Improve the model" toggle, did not stop the uploads in the wire captures. A flag that did stop them existed, but it was undocumented and surfaced only through reverse engineering after the exposure.
In full transparency, and to protect their credibility, they should just release an incident report and a lessons-learned tbh.
ð€ª5ð4ð€£1
Proton VPN just shared that it received 47 legal orders through June this year, all seeking to identify users behind specific server IPs and timestamps. Every one was denied, because its no-logs policy leaves no connection data to hand over.
Per its transparency report, updated July 14, that brings the total since 2019 to 458 orders, with zero fulfilled. The company keeps no connection logs under Swiss law, so there is nothing to produce even when an order is binding.
Per its transparency report, updated July 14, that brings the total since 2019 to 458 orders, with zero fulfilled. The company keeps no connection logs under Swiss law, so there is nothing to produce even when an order is binding.
ð¥°22ð7ð€5ð©3â€2ðš1