It sounds like you're dealing with a frustrating and potentially serious issue — malicious JavaScript injection in your Shopify store’s <head> tag that only appears in responsive mode. Here's the key: these kinds of injections often come from third-party Shopify apps or malicious browser extensions. Since you're only seeing the code in responsive mode, it might be coming from device-targeted conditional logic embedded by an app or injected script through global.js or preload.js.

Here’s what you can do:

1. Audit your installed apps – Disable any third-party apps (especially recently installed ones) one by one to identify the culprit.

2. Check theme.liquid and layout files – Look for any suspicious external script loads (especially ones conditionally rendered based on viewport or device).

3. Use Shopify theme inspect CLI tool – It helps identify third-party scripts and their origin in your theme.

4. Temporarily replace global.js and preload.js – Replace them with dummy files and see if the injection stops. If it does, you’ve found the origin.

5. Inspect Chrome extensions – If the code only appears when you test locally, a rogue browser extension could be interfering. Try Incognito mode.

6. You’re on the right track using breakpoints — now use DevTools' Call Stack during the script injection event to trace which script or function is firing it.