What is the name of the domain?
What is the error number?
No specific error number - script injection issue
What is the error message?
Failed to load resource: the server responded with a status of 404 (Not Found) /bcom/
What is the issue you’re encountering
My Cloudflare-hosted Next.js site is experiencing mysterious script injection that’s adding broken code to the HTML. Three unauthorized scripts are being injected: Broken GTM script with j.src=‘/bcom/’; (404 error) Google Tags First Party script with google_tags_first_party Cloudflare analytics script with token 485c775ac6824463bdc6a1cec2cd6b9f The injected scripts break Google Tag Manager in Chrome but Safari handles them gracefully. These scripts are NOT in my source code - confirmed by: Extensive VS Code searches for all script fragments GitHub Copilot analysis confirming scripts don’t exist in codebase Testing on localhost:3000 (isolated environment) still shows injection
What steps have you taken to resolve the issue?
- Searched entire codebase for script fragments (/bcom/, developer_id.dYzg1YT, 485c775ac6824463bdc6a1cec2cd6b9f)
- Verified source code contains only correct GTM implementation
- Tested on localhost:3000 development server - scripts still inject
- Tested in Safari vs Chrome - Safari works, Chrome fails
- Used GitHub Copilot to analyze codebase - confirmed no broken scripts exist
- Checked for browser extensions, malware, DNS issues
- Deployed to Vercel as test - same scripts still appear (Cloudflare nameservers still active)
What are the steps to reproduce the issue?
- Visit creatorbuilderlabs.com in Chrome
- Open Developer Tools → Sources tab
- View page source - observe three unauthorized scripts in
- Check Console - see 404 error for /bcom/
- Test window.google_tag_manager - returns undefined (broken)
- Repeat in Safari - same scripts present but window.google_tag_manager works correctly
Expected behavior: Only my clean GTM script from layout.tsx should load
Actual behavior: Three mystery scripts inject, breaking GTM in Chrome
