this is site verification code not malicious code. refer to the official google doc.
Topic summary
Issue: Store owner suspects a hack after an unauthorized Google Search Console ownership appears. A Google site verification meta tag is believed to be injected, but it isn’t visible in theme.liquid.
Findings: An expert initially sees three Google-related tags, later only one verification code on the main site. They clarify that a Google site verification tag is standard (used to prove ownership to Google) and not inherently malicious.
Discrepancy: Google Search Console still flags a verification tag as present, preventing removal of unused tokens. The suspicious content appears at https://kiburi.com.au/password, which shows pages not belonging to the owner.
Location scope: The expert observes the verification code on the password page endpoint rather than the main homepage, suggesting it may be embedded in theme code for that area (e.g., theme.liquid) or served from a separate configuration.
Actions advised: Access domain/registrar account to remove any unwanted subdomain or configuration; review theme files for the password page. Owner checked cPanel and found no subdomain and plans to contact support.
Status: Unresolved; owner to escalate with registrar/host and continue code audit. Images/screenshot were shared to show detected tags.