In every vulnerability, the users are the victims. Web stores aren't a special case in the debate of "responsible disclosure" vs "immediate disclosure".
GitLab changed their stance from "responsible disclosure" vs "immediate disclosure". That's their choice, but they shouldn't mince words about it.
In the usual sense of a server having a vulnerability, there are just two parties involved: the server operators, and the malicious party exploiting the server. That's the case in which GitLab is saying to not publish a list of such vulnerable servers. In this case, the server operators are not yet victims; responsible disclosure is supposed to help us (the good guys) keep it that way.
But in this case, we have an already exploited server. The server operators are already victims. The point of publishing lists here is to attempt to prevent the malware from further skimming credit card numbers off users attempting to purchase goods from the infected storefronts. Like before, the point here is to prevent more people from falling prey to the skimmers here, but the action we must take to do so effectively is the opposite.