npm

shopify-internel @99.0.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-6941

Ecosystem

npm

Summary

Package name 'shopify-internel' is a one-character misspelling of 'shopify-internal' and appears to squat on the Shopify namespace. The tarball contains only package.json and a one-line placeholder readme ('Random Guessing for this to see'); there is no main entry, no bin, no lifecycle scripts, and no code files. The declared description ('Build tool for Cloudflare Workers and Service Workers') does not match the name or any shipped functionality. In its current form the package cannot execute code on an installer, but the name resembles Shopify's namespace and could be weaponized in a future release.

Source: amazon-inspector (3eb1d4e4e70cff6efbfec48cbf205e071c73a70003863e2293dbf7035547f560)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.