Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets. Attackers modified JavaScript code indiscriminately, without checking if it loaded a payment page or not. Many websites using Amazon’s cloud storage services failed to properly secure access to their assets. Researchers at RiskIQ, a company that has been monitoring Magecart attacks since their early days, say that the threat actors automated the discovery of S3.
Source: https://www.bleepingcomputer.com/news/security/over-17-000-domains-infected-with-code-that-steals-card-data/