They would have to have some sort of software that is able to detect that you are connecting to cpanel and then act on your behalf. That is significantly more involved and more malicious than "just" intercepting html in flight and injecting adds.
If it wasn't intercepted from the cPanel then it may have been intercepted from the HTML file download from JSbin (which I copied into cPanel).
Either way, this was a downloaded HTML file which was then copied into cPanel. I never viewed or edited the file between its download from JSbin & pasting into cPanel.
The Malware was affecting files & not just pages viewed in browser. Nasty stuff.
This is pretty typical behaviour for a proxy, since it has no idea whether the user is viewing the HTML in a browser or just saving it for later use.
I have to bypass my own ad-filtering proxy whenever I download some files, as otherwise it may corrupt them as it attempts to filter out anything it detects as ad-like in the content. Not surprising that this adware would attempt to inject its script into anything it detects as being HTML.
It's much more likely that your web site or server was exploited directly, independent of you owning a Lenovo. This happens frequently; there are sophisticated operations out there scanning for a wide variety of ways into sites and servers. They pay special attention to shared hosting systems, which are not known for their high levels of security.
As soon as he mentioned cPanel that was my assumption. A lot of the control panels are vulnerable in the default install and difficult to secure adequately. Don't get me started on database control panels, I regard phpmyadmin as malware that happens to use uneducated admins as the infection vector.
They would have to have some sort of software that is able to detect that you are connecting to cpanel and then act on your behalf. That is significantly more involved and more malicious than "just" intercepting html in flight and injecting adds.