"Invalid Signature: Possible malicious login - xxx.myshopify.com"
This error appeared to be caused because the parameters needed for the request_token method at some point changed to require a host parameter. Did the API install requirements recently change to require this host parameter in the request_token method? Is there another more stable solution than to include the host parameter?
Please let me know if you need any other information.