Over a week old
On Friday 30th January, I completed a PayPal transaction and was surprised to note that NoScript (in Firefox) advised me it had blocked a suspected XSS attack. Their site seems to have been infected for over a week then.
At the time, I was buying something from an established Powerseller and had been taken to his trading site that used an intermediary website to collect payment. I've always been suspicious of these and prefer to be sent to PayPal direct. I was extra suspicious because the intermediary trader site asked me for my PayPal e-mail and password 'to make it easier to make payments the next time i bought anything'. I refused and it passed me over to PayPal.
I did think that the XSS attack was due to being involved with the intermediate trader but NoScript did say it came from PayPal and this article seems to confirm it.