Newly released documents from the Edward Snowden archive, published today by The Intercept, confirm what was already suspected this week: some of the NSA's secret malware is out in the open.

16-character string matches up

On Saturday, a group going by the name "the Shadow Brokers" began leaking what it said were NSA exploits and scripts. As security experts weighed in, it became more clear that the leaked tools were legitimate, and the Snowden documents released today are the closest we may get to the smoking gun.

The Intercept reports that NSA hackers were advised to use a specific 16-character string when employing a program called SECONDDATE, which was included in the leak. The string in the documents matches a string that was leaked, overwhelmingly suggesting a link. The documents also further detail SECONDDATE: as The Intercept reports, the malware can intercept and redirect web requests to the NSA, and was used for operations in Pakistan and Lebanon.

How the data was leaked, and who exactly leaked it, are still unclear. Some have pointed to Russia as a possible culprit, although the attribution on that front has so far been weak. As for the how, multiple theories have been proposed, but one of the most popular suggests an NSA hacker using the tools failed to clean up after an operation, allowing someone to grab the tools without a major hack.

NSA hacker may have failed to clean up after an operation

Snowden himself has argued for such a theory, outlining his thoughts on Twitter a few days ago. "The hack of an NSA malware staging server is not unprecedented," he wrote, "but the publication of the take is."