Thieves are exploiting unpublished security flaws (aka 0days) in popular store extension software. The attack method is the same: PHP Object Injection (POI) This attack vector abuses PHPs unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. Attackers are now probing Magento stores in the wild for these extensions. If you are running any of them, youd better disable them quickly.”]
Source: https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/