The AppsFlyer Web SDK was recently compromised in a supply chain attack where malicious JavaScript was injected to hijack cryptocurrency transactions. By intercepting wallet addresses on thousands of affected websites, the attackers redirected funds to their own accounts while maintaining the SDK's normal appearance.
The AppsFlyer Web SDK, a widely used tool for marketing analytics and user engagement, was recently targeted in a significant supply chain attack. Security researchers discovered that the official domain for the SDK was serving malicious, obfuscated code to unsuspecting users. This incident is particularly impactful because the platform is utilized by approximately 15,000 businesses and integrated into over 100,000 applications globally to track marketing performance and user behavior.
The primary objective of the hijacked code was the theft of cryptocurrency by manipulating browser-side data. The malicious payload was designed to run in the background, monitoring active web pages for any input related to cryptocurrency wallet addresses. When a user attempted to enter a destination address for a transaction, the malware would quietly swap it with an address controlled by the attackers. This allowed the threat actors to divert funds across multiple blockchains, including Bitcoin, Ethereum, Solana, Ripple, and TRON.
According to investigative reports, the compromise was identified after researchers noticed unauthorized JavaScript being delivered through the official AppsFlyer web domain. The malicious script was sophisticated enough to preserve the standard functionality of the SDK, ensuring that website owners would not immediately notice any performance issues or errors. Behind the scenes, however, the script hooked into network requests and decoded malicious strings at runtime to facilitate the exfiltration of metadata and the replacement of wallet addresses.
AppsFlyer eventually acknowledged the situation, attributing the breach to a domain registrar incident that occurred around March 10, 2026. While the company stated that their mobile SDK remained unaffected and there was no evidence of direct access to customer data stored on their internal systems, the web-based version was temporarily exposed. The company has since contained the incident, regained control of the domain, and communicated directly with affected business clients to resolve the security gap.
The window of exposure is estimated to have lasted from late in the evening on March 9 through March 11. Although the specific root cause and full duration of the breach are still being analyzed by third-party experts, the event serves as a stark reminder of the risks inherent in third-party integrations. Because so many modern websites rely on external SDKs for core business functions, a single point of failure at the provider level can lead to widespread downstream consequences for millions of end users.
Source: AppsFlyer Web SDK Hijacked To Spread Crypto-Stealing JavaScript Code