I mean, honestly I wouldn't be amazed if one of the DOGE peoples' personal laptops (which I assume they were using, because no-one involved in any of this seems to have the first clue what they're doing) was compromised. If they saw outside login attempts within minutes of account creation, then, as you say, unless it was root/root or similar, presumably fairly realtime data exfiltration is going on _somewhere_.
EDIT: Also, given that the attacker had correct credentials and was only stopped by an _ip address_ check, we may assume that, unless the attacker was particularly incompetent, they likely got in.
EDIT: Also, given that the attacker had correct credentials and was only stopped by an _ip address_ check, we may assume that, unless the attacker was particularly incompetent, they likely got in.