Seems like a magento problem with their payment plugins, but has anyone scanned or checked for similar problems in nopcommerce? I was reading about the Newegg breach and we collect the card details and send over SSL to the payment processor API. I want to ensure my site is secure from enabling extra scripts to send elsewhere at the same time.
https://www.zdnet.com/article/magecart-claims-another-victim-in-newegg-merchant-data-theft/
https://www.riskiq.com/blog/labs/magecart-keylogger-injection/
https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/