shopify

Moderate supply-chain/security risk due to (1) UI extension performing an authenticated external network call using a checkout session token, which could enable credential/context exfiltration if the endpoint is compromised/changed; and (2) Web Pixel extension dynamically loading a third-party script and tracking/sending checkout lifecycle data (including order/transaction details). The Rust Shopify Function shows no evident malicious behavior beyond applying discounts based on metafield configuration.