You could probably hide it pretty effectively during a normal pull request to fix an existing issue. As long as they aren't greping for the string anyhow. If he's going to use tools to to search a PR for the string, you'd have to obfuscate it. There are plenty of string and / or byte array manipulation techniques to sufficiently hide something like this as long as it's masked by an otherwise real PR.
I'd be XORing against some existing strings in the code of the same length to obfuscate the content, with some hidden method to invoke the reverse XOR to regenerate this challenge text string.
I think some array manipulation could do it if you're clever enough and don't make it obvious where all of the inputs comes from. So you'd make some particular parameters regenerate the string, and it wouldn't obviously stand out from the normal behavior.
