In one research report researchers have discovered Magecart attacks affecting 17,000 web domains including some in the Alexa Top 2000. You may remember that Magecart is what took down British Airways and likely caused them to be fined 183 million Pounds by the UK Information Commissioner’s Office.
In a separate report, Sanguine Security says that they identified 962 web sites that were infected with Magecart in one day. They described it as the largest automated campaign to date. The previous record was 700 in one day. Source: Info Security Magazine.
Whether there is some overlap in sites between these two research groups is unknown, but what is clear is that attackers are very successfully figuring out how to inject malicious code in otherwise reputable web sites undetected. Two examples of large web sites that have been infected by this technique are Ticketmaster (EU) and British Airways, so it is not just effective on small sites. Most of the sites infected are, in fact, relatively smaller sites.
Bottom line is that all sites need to consider the possibility of their code being infected with malware and take measures to reduce the risk of that happening. This includes things like checksumming files and installing software to detect modification of existing files and the addition of new files.
But this also affects third party code that is integrated into your web site. As we have seen with a number of third party attacks, the attackers hit the weakest point, and if that is third party code that you use, that is fine with them.