TL;DR
- Polyfill.io attack 2024: 384,773 hosts compromised — many in Germany
- Magecart attack every 16 minutes (RiskIQ)
- 74% of web-based data leaks are formjacking
- Old script tags from uninstalled apps = perfect entry point
- Shopify blocks ScriptTags gradually through 26 August 2026 — old tags then produce 404 errors
Why Shopify stores are particularly vulnerable
Every uninstalled app leaves script tags in the theme. Over years some merchants accumulate dozens of dead <script src="//cdn.xyz.com/..."> entries. Each is an active supply chain vector — if the CDN domain gets compromised, your store loads malicious JavaScript.
The Polyfill.io case — what really happened
In June 2024 the polyfill.io domain was bought by a Chinese company that, a year later, manipulated the CDN infrastructure. The domain delivered malicious JavaScript to 384,773 hosts (Censys analysis) — primarily in Germany.
Affected: Hulu, Mercedes-Benz, Warner Bros, plus thousands of smaller e-commerce stores. Many still had Polyfill.io in their theme from old Shopify app integrations long uninstalled.
Bitter truth: nobody noticed the attack until a security researcher coincidentally analyzed traffic. Malicious code ran for weeks undetected.
The most common attack vectors on Shopify
1. Formjacking (Magecart attacks)
Attackers manipulate an external script running on your checkout page. The script reads credit card data as customers enter it and exfiltrates to attacker servers. The Shopify admin sees no irregularity — the order processes normally.
2. CDN takeover
Like Polyfill.io: attackers buy a forgotten CDN domain your theme still references and deliver manipulated JavaScript. Your shop becomes the attacker without you changing anything.
3. Abandoned apps
Many Shopify apps are abandoned by their developers (no update, no support, sold). Script tags still run — until the next compromise.
4. Script injection via app
Even a legitimate app writing script tags to the theme can be abused on app provider security breaches. The script-tag function is often the weakest link.
Shopify reacts (too late, but at least)
From 1 February 2025 Shopify deprecated creation of new ScriptTags. Legacy ScriptTags continue:
- 28 August 2025: Shopify Plus — blocking active
- 26 August 2026: Non-Plus — blocking active
After these deadlines old script tags produce 404 errors. Good for security, bad for stores that didn't clean up — theme renders break suddenly.
How to protect yourself
1. Inventory all external scripts
Open your shop in Chrome DevTools → Network tab → filter by .js. Check every external script request. Anything you don't actively use must go.
2. Content Security Policy (CSP)
A CSP header rule allowing only specific domains prevents unknown script sources from loading. Shopify setup: theme header Content-Security-Policy: script-src 'self' cdn.shopify.com. Restrictive but effective.
Note: CSP may need extension on app install.
3. Subresource Integrity (SRI)
For external scripts, set integrity attribute. If the server delivers a different script than expected, the browser rejects it:
<script
src="https://cdn.example.com/widget.js"
integrity="sha384-..."
crossorigin="anonymous">
</script>
Problem: most Shopify apps don't set SRI because they change scripts regularly.
4. Remove old scripts
Most effective protection. GhostCode scans your theme for all external script tags + identifies those from uninstalled apps — and removes them on demand.
5. Shopify Web Pixels instead of script tags
Since 2024 apps can use Web Pixels instead of script tags — running in a sandboxed environment. Watch for this on new app installs.
Today's checklist
- DevTools network audit of your homepage
- Check every external script request for necessity
- GhostCode scan for ghost scripts
- Configure CSP header (at least
self) - SRI for known external scripts
- Check apps using script tags for alternatives (Web Pixel, theme extension)
Further reading: Remove Ghost Code · Clean settings_data.json · Clean Shopify Theme