In March 2019, a critical SQL injection flaw was discovered in Magento 1 and 2. This allows attackers to read and write to your database. A common attack pattern is that your admin passwords are stolen.
To fix this, install these Magento-supplied patches:
Installed these patches and eComscan still reports this issue? In some cases, the old (vulnerable) code is cached and still active. You should flush all caches. See also this Stackoverflow question.
It is also possible that you have a duplicate of the (older) Magento code located under your hosting account. In that case, it is recommended to purge the older version.
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About Magecart