I’ve never heard of a hacker inserting malicious code on a purely static web page. Maybe it’s happened, but I’d have a hard time imagining it could do him any good.
It’s happened here, once, to one of the old Movable Type pages that were left in a static state after the fall of 2006. What happened: someone weaseled in through some unknown method (FTP?) and pasted a bunch of spam links at the bottom of the page. I didn’t notice it for some time; all I know is it happened between May 2015 and October 2016. Eventually I deleted the whole page and pasted the actual content into a WordPress post. (With the original comments, yes.)