Help identifying were malicious script is loaded from in my source - "some-app"

Technical Q&A
, ,

Topic summary

A Shopify store owner’s Google Ads were suspended due to malicious content detected on their site. Investigation revealed a script injecting spam website links through the {{ content_for_header }} Liquid variable in their theme.

Key findings:

  • The malicious code pointed to “some-app.com” and wasn’t directly in theme files
  • It was being injected by one of the installed Shopify apps
  • Community members suggested two troubleshooting approaches: systematically disabling apps to test, or cross-referencing all JavaScript files against the app list

Resolution:
With help from an external developer, the store owner identified the problematic app and contacted its developer directly. The issue appears unintentional, and the owner chose not to publicly name the app to avoid reputational damage. The developer is expected to fix it for all affected users.

Status: Resolved

Summarized with AI on October 27. AI used: claude-sonnet-4-5-20250929.
1

Hello,

My google ads got taken down by google, they were dissaproved, because of Malicious content in my site since 19 May. They say it’s loading external spam websites.

After some investigations, I found out that this script is injected through “{{ content_for_header }}” in my theme.liquid file.

So this line of malicious code is actually not present in my liquid files, but loaded through that content for header shopify variable. Possibly injected by one of my installed apps.

If you look in the source code of my website: https://africanfabs.com/pages/about-us

and look for “some-app”

You will find this: “https://some-app.com/some-controller/js-method-response?shop=africanfabs.myshopify.com

this leads to a spam website.

Is there anybody that can identify from which of my apps this script is loaded / injected from? I can not find out where it comes from, so I can remove it and re-enable my google ads.

Thank you for any help!

2

It’s impossible to tell from the code what injects it exactly.

An easy and robust way would be to just disable/uninstall apps and then check the storefront.

3

Well, there is another way – identify all other Javascript files and compare with the list of your apps.

Then you can find which one is left.

It’s probably not:

Printful, Judge.me, Upsell & Cross Sell — Selleasy, Awin, Searchanize, PushOwl?..

Look at what this leaves and you should be able to get an idea what app it is.

Also worth going over App listings in App store and looking at reviews – often someone has already complained, but shopify is not fast enough to take action.

4

Hi Betterave-Nina and Tim,

Thank you both so much for your quick and friendly replies — I really appreciated your input and suggestions while I was in the middle of this frustrating situation.

I wanted to give you a quick update: with the help of an external developer, I was finally able to trace the injected script back to a specific app. I’ve since contacted the app developer directly to resolve it.

Out of respect, I won’t mention the app by name here — I believe it wasn’t intentional, and I don’t want to cause any unnecessary damage to their reputation. I’m confident that they’ll fix the issue not just for me, but for all affected Shopify users.

Thanks again for being so helpful — this community really does make a difference!

Best regards,
Jack

5

Hi Jack.

This is very generous of you to not complain about this to support or not mentioning the app here. Makes sense if this wasn’t intentional.

I’m glad that it’s resolved.

Good luck with sales!
Nina