Let's define a threat model that should be obvious by now, but apparently isn't.
If you're shipping anything you'd rather not have a federal employee thumbing through: don't use FedEx or UPS, and stop refreshing the tracking page like it's Twitter.
People keep getting this catastrophically wrong, so let's go through it properly.
The carriers
FedEx and UPS are private companies. Read the terms of service — buried in there is a clause reserving the right to inspect, X-ray, or hand off your shipment to anyone who asks nicely. FedEx's own terms reserve the right "to inspect the shipment at any time as well as to allow competent authorities to carry out such inspections as they may consider appropriate," which is exactly as bad as it sounds. When the DEA or CBP turn up, no warrant is required, because the Fourth Amendment restrains the government, not the contractors the government has politely asked to help. Door's already open.
USPS is a federal agency. First-class mail is Fourth Amendment protected. A postal inspector has to get a judge to sign a warrant before opening anything. The state's own postal service is, by some margin, the most paranoid carrier available to you. That should embarrass everyone, but it doesn't.
The maths
USPS moved 7.3 billion packages in 2024 — roughly 20 million a day. Picking yours out of that haystack without a tip-off is worse odds than winning Powerball twice. Sniffer dogs don't fix it either: published research has detection accuracy collapsing from near-100% in the first ten minutes of work to zero after twenty, which is why the 20-on/20-off rotation exists. The system does not catch your package by being clever. It catches your package because you flag it.
How you flag your package
The tracking page. Specifically: the tracking page hit from your real device, on your real network, with your real browser fingerprint, repeatedly, at 3am, while visibly anxious.
If you don't have a Zero Trace Pen, every refresh is a logged event — IP, device fingerprint, timezone, timestamp, often more. Hit refresh thirty times in 48 hours and congratulations, you've manufactured a behavioral signature that exists nowhere else on the internet. You correlated yourself. They didn't have to do anything.
"But I'm running Tor over a VPN"
No you aren't. Not really.
Tor Browser proxies Tor Browser. It does not proxy OneDrive, iCloud, Dropbox, Windows telemetry, macOS push services, your antivirus phoning home, Spotify, or any of the dozen other processes syncing in the background while you feel clever. Anyone doing traffic correlation doesn't need to break Tor. They need to wait about thirty seconds and watch your real IP wave at them from a different process. (This has been the case for years. It is documented. People keep doing it anyway.)
The minimum-effort route, if you must
Open Tor Browser. Push security to Safest. Drop your tracking number into 17track.net. Don't sign in. Don't create an account. The carrier sees 17Track's IP, not yours.
This is better than checking on Chrome in the same way wearing a hi-vis vest is better than carrying a flag. 17Track logs everything its end. Your host OS is still leaking telemetry round the back. It is not invisible. It is less catastrophically stupid. Know the difference.
The actual fix
Plug in a Zero Trace Pen. It boots an isolated, ephemeral OS into RAM. The host machine has no idea what's running and learns nothing when you pull it out. OneDrive stops mattering. iCloud stops mattering. All traffic is anonymised at the operating system level via Tor, not bolted on at the application level by a browser hoping for the best.
Open 17Track, check tracking, pull the pen. The session ceases to exist. There is nothing to forensically recover because there was never anything written.
It ships with an anonymous Bitcoin wallet and an encrypted messenger, because the people who need this generally need those too, and bolting them on after the fact is exactly how people get caught.
Don't get nicked, kids.