Well, if you will include third party JS at random
The article lacks the relevant details but from memory the way it worked in the case of British Airways (https://www.theregister.com/2018/09/06/british_airways_hacked/) is that they included a shitton of third party JavaScript - hosted outside of their domain. If you don't understand why this is a bad idea, please don't become a web developer.
That JavaScript was modified so it requested other .js files (which the attackers had written themselves) from a domain which on the face of things looked legit to an average user, not that they'd see the requests their browser was making in the background anyway.
The malicious script then targets form inputs (e.g. credit card name / number inputs) and makes an ajax POST request with the form data to a third party server for storage and thereafter "shenanigans".
So, if I'm understanding correctly, years later nobody has learnt the extremely simple premise of not including random JS from third parties on your site. Yes I know there are some exceptions where you can't do this, but I'd be willing to bet it was Bob's Shitty Analytics dot BIZ or something where they wanted it for "marketing purposes".
Some smart arse will say yes but what if they modify the JS on your site directly. If they can do that my dear then you have much bigger problems. Frankly though, including third party JS pretty much amounts to exactly this! You're giving somebody else control over what can be executed on your site.