We also had a problem with namecheap threatening to turn off one of our production domains unless we immediately removed a page hosted at a particular URL. Apparently they had received a complaint from a third-party anti-phishing company [1] which said we were hosting a phishing page at that URL. It was a complete false alarm as we were definitely not hosting a phishing page! This would have been obvious to any human actually looking at the page. However, when we tried to argue this with namecheap support, they informed us that the only way not to have our domain promptly shut down was to either remove the page OR get the third-party company to confirm to namecheap that our page was not a phishing page (!). In other words, they would not even look at the page themselves and use their common sense to confirm it wasn't a phishing page. We briefly tried to contact the third-party company, but we were not able to get any sort of response from them at all. So we just took our page down. Namecheap support then confirmed that we would not be losing our domain this time, but shockingly followed up that if they received a single further complaint that our entire account would be shut down permanently as they have a single-strike rule. We promptly migrated our ~50 domains to another registrar.
[1] These companies are hired by organizations like banks to scour the web for phishing sites and have them shut down by reporting them to their hosting providers and/or domain registrars. Obviously our legitimate page was incorrectly flagged by whatever algorithm the company used.
Do you run any type of ad network on your site? The hijacking can be rather targeted (geo, device, time of day, etc..) such that you could never recreate on your own.
I still see this occasionally on otherwise innocuous sites.
Other 3rd party JS can still cause it, but ad networks are the most common.
[1] These companies are hired by organizations like banks to scour the web for phishing sites and have them shut down by reporting them to their hosting providers and/or domain registrars. Obviously our legitimate page was incorrectly flagged by whatever algorithm the company used.