The point wasn't to leave people puzzling over it for hours. It was a bit of fun. But ... It'd be quite trivial to hide the string.

    var msg = ['E','r','r','o','r',':','S','c','r','i','p','t',' ','n','o','t',' ','f','o','u','n','d'];
    document.write(msg.join(''));

I gave a talk at BlackHat many years ago about JS malware, and proposed obfuscating malicious JS like this:

- Treat JS code like 7-bit ASCII

- For each character, convert the bits into white space. 1= space, 0 = tab

- A = "1000001" = space tab tab tab tab tab space

- concat it all together, \n shows you are done

So you can represent JS code as just whitespace. Which means this is malicious code:

<script> //st4rt

//3nd

var html = document.body.innerHTML; var start = html.indexOf("//st" + "4rt"); var end = html.indexOf("3" + "nd"); var code = html.substring(start+12, end); eval(hydrate(code)); </script>

I like that a lot. I wonder if it might be possible to use Unicode zero width space and zero width non-joiner characters.. Then there wouldn't even be any white space to see.

Base64 encode the string for added fun.

... and then caesar-cipher it so that the first guess won't easily find it? :D

Add 'happy hunting' in a comment string for additional fun.

I'm a junior dev with just 1 year of experience and this was my immediate instinct.