Threat actors are injecting fraudulent purchase receipts into the Shopify Shop order-tracking app (50 million installs) to run callback phishing campaigns that harvest credentials, OTPs, and payment card data, or direct victims to install remote access tools. No CVE is assigned and no vendor patch or confirmed fix is available; the receipt injection mechanism has not been publicly confirmed by Shopify. Enterprise risk is concentrated in BYOD environments where Shop app installations on personal devices can serve as an entry point for corporate credential compromise.