A typical point of entry is when a malicious actor compromises a third-party service your website uses. Here's the process: your server sends the web page, and your browser requests hundreds of external resources like analytics scripts, marketing tools, and payment processors. Then, an attacker can intercept just one of these requests and inject malicious code instead of the legitimate script.
Malicious scripts can also be injected through adverts, ad networks are essentially JS distribution networks for hire. A script on an ad network can steal credit card information and take sensitive tokens like session tokens. Therefore, if you have webpages where adverts and payments cross, it is best to be extra careful and implement a strict client-side security.