> compromise at a third-party vendor allowed hackers to inject malicious code into its website

this gets often overlooked

Kate from marketing has full permission on Google tag manager.. phish her and inject whatever you want into the website.

And if Kate doesn't have access, the ad agency supporting the marketing department certainly will.