Its just an apache module issue...
Depending on the programming language - it'd be very easy to just have the contents of the .js compiled into the apache module.
then you just send a new header and the content of the file from within the module to send the file to the web browser.
As for including the file in the html, php files - it would again be pretty simple to amend the data sent to the browser. If it has got to move through apache - then it'll be a module there that is doing it.
As for infiltration.... Systems get hacked everyday.