If we're just talking about tracking then they don't need to because the site already gets all of your requests. They inherently know what pages you're viewing on their site because they gave them to you. A great many sites run this kind of analytics (often including client-side ones to track user actions - think medium.com's "most highlighted paragraph) and it's not considered malware.
If you're talking about them selling the data gathered by these, then that'd be less common but certainly not unheard of. If you're talking about them doing something more nefarious on your machine (keylogging/cracking) then hopefully that's pretty hard to do against a modern browser and any site caught doing so would never get any traffic from me again.
The problem we're discussing here is not about the site having a record of all the legitimate requests needed to load a page.
The problem is that the site is now serving a piece of (third-party, but that's besides the point) malware explicitly designed to monitor events that would normally not cause a network request (and thus wouldn't be logged), and then sending that to a malicious third-party through a reverse-proxy.
If you're talking about them selling the data gathered by these, then that'd be less common but certainly not unheard of. If you're talking about them doing something more nefarious on your machine (keylogging/cracking) then hopefully that's pretty hard to do against a modern browser and any site caught doing so would never get any traffic from me again.