shopify-internel @99.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6941
Ecosystem
npm
Summary
Package name 'shopify-internel' is a one-character misspelling of 'shopify-internal' and appears to squat on the Shopify namespace. The tarball contains only package.json and a one-line placeholder readme ('Random Guessing for this to see'); there is no main entry, no bin, no lifecycle scripts, and no code files. The declared description ('Build tool for Cloudflare Workers and Service Workers') does not match the name or any shipped functionality. In its current form the package cannot execute code on an installer, but the name resembles Shopify's namespace and could be weaponized in a future release.
Source: amazon-inspector (3eb1d4e4e70cff6efbfec48cbf205e071c73a70003863e2293dbf7035547f560)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.