Typically, the Magecart hacker substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware.