eComscan will find and report known insecure modules. A team of security researchers maintains a database of vulnerable version numbers.
You may have disabled or renamed a vulnerable module, but still get an alert. This is intended, because sometimes insecure modules still pose a threat, even when they are marked as "disabled".
You may have manually patched a vulnerability, for example when no official fix or update is available. To stop eComscan from reporting this module, you should add
-patch to the version number (for Magento 1, this is under Vendor/Module/etc/config.xml).
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About Magecart