JavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity.