Pass 256 bytes across continents disguised as a typo fix, then erase the trail before CI bots finish their coffee.
0 ▒ Why This Matters
🧩 Anyone can send an encrypted file; not everyone can hide that the message was sent at all.
Git’s distributed design, infinite history, and infamous force-push let you turn a boring code repo into a disposable dropbox. One commit plants the payload, a second commit rewrites history and makes the file “never have existed.”
1 ▒ Core Idea — “History as Envelope”
🧩 Treat every commit like a frame of disappearing ink.
- Pick a noisy public repo (Star-wars quotes, meme CSS, whatever).
- Add your covert blob in a commit — hidden in diff lines, PNG LSBs, or a base64 comment block.
- Give receivers the commit hash (or blob SHA) out-of-band.
- After 24-48 h, force-push a clean branch that erases the covert commit from public history.
Because Git mirrors everywhere, anyone who cloned before the rewrite still has the data; newcomers (and casual auditors) see nothing.
2 ▒ Planting the Payload
🧩 Hide in what devs ignore.
| Cover Medium | Covert Capacity | Why It Blends |
|---|---|---|
| Comment Blocks (/* lorem… */) | ≈ 2 KB | Reviewers skim walls of doc-text. |
| PNG Screenshot in README | ≈ 400 B–1 MB via LSB stego | Images are binary; diffs don’t reveal pixels. |
| .patch Attachment | ≈ 100 KB | Patches are expected email artifacts in OSS repos. |
(Normie decode: you’re stuffing secrets inside places devs never open in detail.)
3 ▒ The “Clock-Window”
🧩 Leave the door open only long enough for allies to walk through.
Set a retrieval window (e.g., 36 h). After that, force-push a new root commit chain. Anyone fetching afterward sees a repo where the covert blob never existed. Older mirrors keep an immutable copy — just like a traditional physical dead drop that’s removed after pickup.
4 ▒ Extraction & Sanitization
🧩 Receivers pull once, stash the blob, never push back.
- Hash-lock — Share the exact blob SHA-1/SHA-256 out-of-band so they know what to extract.
- Local prune — After saving, git gc –prune=now to wipe residual references.
- Public cleanup — Repo owner can run git reflog expire –expire=now –all + GitHub’s “Delete cache & rerun CI” for extra smoke.
(Normie decode: everyone empties the trash and closes the door.)
5 ▒ Detection & Counter-Intel Angle
🧩 Yes, defenders can spot ghosts if they know where to shine the light.
- Unusual file-size spikes — sudden 3 MB PNG in a docs-only repo.
- Short-lived commits — objects that appear, then vanish within a day.
- Ref logs on mirrors — private mirrors keep reflogs even after a public force-push.
Blue-team takeaway: watch for force-push frequency and large binary blobs in text-centric projects.
6 ▒ Quick-Look Checklist
- □ Pick a repo with high commit noise.
- □ Plant payload in diff, image, or comment block.
- □ Share commit hash via out-of-band channel (Signal, QR, etc.).
- □ Force-push a clean branch after the pickup window.
- □ Garbage-collect local clones.
7 ▒ Final Whisper
A dead-drop commit is a magic trick: the audience saw nothing, yet the message moved.
Use it as a defensive study or a creative thought experiment — but remember: every force-push writes your name in a reflog somewhere. Ghosts leave footprints for those who know how to look.
Educational purposes only.
