GitHub user signalblur posted exifsmugglingpoc, a proof‑of‑concept that blends Cache Smuggling with JPEG Exif data. The technique embeds a compiled DLL inside the image’s metadata, letting a browser cache serve the payload without any outbound request. Researchers demonstrate that a PowerShell loader can retrieve the hidden binary directly from Chrome’s cache, avoiding network detection and appearing to come from a legitimate domain.

To build the exploit, the author provides three helper scripts. build_clickfix_cmd.py converts a PowerShell loader into a ClickFix command, while exif_smuggling.py injects the payload DLL into any JPG, producing a new image file that appears benign. An accompanying index.html file shows how a phishing page can serve the crafted image, triggering the silent download when visited, accepting input and output paths for automation.

The proof‑of‑concept demonstrates that traditional image caching can become an unintended delivery vector, bypassing firewalls that monitor outbound traffic. Defenders must scrutinize cached objects for anomalous metadata and consider cache‑clearing policies for untrusted content. Enterprises should audit their CDNs for similar metadata abuse. exifsmugglingpoc therefore raises the bar for stealthy malware distribution and forces a rethink of browser cache security.