I've found plenty of magecart infections myself. I was surpised at how difficult it was to tell the site owners. Whois privacy,no contact email on their site, no security.txt.

Just a protip,leave some contact info in whois or somewhere on your business site so people can let you know if you get pwned.

Great writeup, wish the screenshots were a bit higher resolution/more readable