I’m harvesting credit card numbers and passwords from your site. Here’s how.
This is a “what if?” scenario, but it’s all too plausible.
For site owners, the (partial) solution is to have a strong Content Security Policy.
(In the wake of Spectre and Meltdown, this is now a perfectly legitimate action for security-conscious web users to take; I hope your site can support that.)