Comment by lifthrasiir

6 hours ago

> exfiltrating user data (including env files, entire source code etc) which is what grok-build did here

I think env files are filtered out [1]. Anyway, the most suspicious code would be `upload_session_state` which is currently a stub function, though it is hard to say if it was only planned (badly) or has been removed as a damage control.

[1] https://github.com/xai-org/grok-build/blob/c1b5909ec707c069f...

It must have been removed, given that the initial evidence of the exfil specifically demonstrated .env files being included. And .ssh/* for the user which ran this in $HOME.