Malicious code in @tallyui/connector-shopify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d106ed4bb3649c216aa7b4a45dec994551171295f9a95aa27ed7e0561664e644 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3516 Malicious code in @tallyui/connector-shopify (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d106ed4bb3649c216aa7b4a45dec994551171295f9a95aa27ed7e0561664e644 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview shopify-draggable is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in edj-shopify-theme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0e23978c8bb0369f485f8c3e2384f10d9e649d13a3c198475ace4184c3757a5 The package edj-shopify-theme was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview edj-shopify-theme is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-3282 Malicious code in shopify-draggable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f631da0153ed8da6498d0662d71d654389a24327b946635a3664d0de9d20b03f The package shopify-draggable was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3277 Malicious code in edj-shopify-theme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0e23978c8bb0369f485f8c3e2384f10d9e649d13a3c198475ace4184c3757a5 The package edj-shopify-theme was found to contain malicious code. Source: ghsa-malware...

Malicious code in shopify-draggable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f631da0153ed8da6498d0662d71d654389a24327b946635a3664d0de9d20b03f The package shopify-draggable was found to contain malicious code. Source: ghsa-malware...

Shopify: Missing HMAC validation on /uninstall webhook in Shopify/sample-django-app reference template

Repository: https://github.com/Shopify/sample-django-app Description The /uninstall webhook endpoint in sample-django-app processes incoming requests without verifying the X-Shopify-Hmac-Sha256 header. Shopify explicitly requires this validation as a mandatory security measure for all webhook...

MAL-2026-3051 Malicious code in shopify-app-extension-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf25a3a07b9adf8865f783819176d646b7c5485aeb1539422555bf596abfeaa7 The package shopify-app-extension-template was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in shopify-app-extension-template (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf25a3a07b9adf8865f783819176d646b7c5485aeb1539422555bf596abfeaa7 The package shopify-app-extension-template was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a...

MAL-2026-1844 Malicious code in shopify-ping-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65f10efaec7ccae41168b3bcbce9874ddfa9fb6d806c9e55029549efe82f9898 The package shopify-ping-web was found to contain malicious code...

Malicious code in shopify-ping-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65f10efaec7ccae41168b3bcbce9874ddfa9fb6d806c9e55029549efe82f9898 The package shopify-ping-web was found to contain malicious code...

MAL-2026-1843 Malicious code in shopify-admin-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2d9c5f86ae6bcf7ba61b04fdb9a3a1f5972c1b157323851a1d47fed29486ae0 The package shopify-admin-web was found to contain malicious code...

Malicious code in shopify-admin-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2d9c5f86ae6bcf7ba61b04fdb9a3a1f5972c1b157323851a1d47fed29486ae0 The package shopify-admin-web was found to contain malicious code...

EUVD-2026-10873

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the...

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker ID: pnpchphmplpdimbllknjoiopmfphellj, which...

New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification

Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise. Specific...

MAL-2026-94 Malicious code in shopify-perf-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b8ab5bcfbfadc319f33cd1364bdbef1f7517fe3c502f9617bc77391014296a2 The package shopify-perf-kit was found to contain malicious code. Source: ghsa-malware b815f7df6ccc90c9082b80e772505706c55a58e7e187d18b01ff56e6524e57...