Evil Merge: The Git Attack That Hid Malware in Plain Sight for 3.5 Months

A few months ago I was doing a routine check on a codebase I work on and found obfuscated code in a Vite config file. It was sitting right there in vite.config.js, on the same line as the closing };, but pushed hundreds of characters to the right — way past anything you'd ever see in a diff or an editor without horizontal scrolling. When I traced it back through git log, the commit that introduced it was a merge. Not a regular commit on a feature branch — a merge commit. And that's when things got weird. The merge that shouldn't have changed anything The merge had two parents. I checked the file in both parents — identical. Same content, same MD5 hash: Parent 1: aa82acb0c335430d8300b6cb306dc824 Parent 2: aa82acb0c335430d8300b6cb306dc824 Merge: 2a54754defae4d13aab39f256738dbbf If you know how git merge works, you know this shouldn't happen. When both sides have the same file, git just takes it as-is. There's nothing to merge. The only way to get a different result is to open the file du