Security & Infrastructure Tools
AppsFlyer Web SDK hijacked to spread crypto‑stealing JavaScript code
AppsFlyer’s Web SDK was hijacked in a supply‑chain attack that injected malicious JavaScript designed to steal cryptocurrency by intercepting wallet addresses entered on websites and redirecting them to attacker-controlled accounts. The compromised payload, discovered by Profero researchers, ran between March 9–11 2026 and affected the official domain websdk.appsflyer.com. AppsFlyer confirmed a temporary exposure due to a domain registrar incident but reported that its mobile SDK remained safe; the company is investigating further and advising users to review logs, downgrade to known‑good SDK versions, and monitor for suspicious requests. The attack targeted major crypto platforms such as Bitcoin, Ethereum, Solana, Ripple, and TRON, potentially impacting thousands of businesses using AppsFlyer’s analytics services.
AppsFlyer’s Web SDK was hijacked during early March 2026, injecting malicious JavaScript that silently stole cryptocurrency wallet addresses on any site or app that loads the SDK. The payload intercepted user inputs for Bitcoin, Ethereum, Solana, Ripple and TRON wallets, replacing them with attacker‑controlled addresses while exfiltrating the original data. This supply‑chain attack exploited the widespread trust in AppsFlyer’s analytics platform—used by 15 000 businesses worldwide for over 100 000 mobile and web applications—to redirect funds to a threat actor.
Profero researchers confirmed that obfuscated code was delivered from the official domain websdk.appsflyer.com. The compromise likely lasted between March 9 22:45 UTC and March 11, though it remains unclear if it affected all SDK users. AppsFlyer acknowledged an incident involving a domain registrar issue on March 10 that temporarily exposed the Web SDK to unauthorized code. They stated the mobile SDK was unaffected and that customer data had not been accessed. The company has since resolved the problem, informing customers through direct communication.
Given the uncertainty about the scope of the attack, organizations using AppsFlyer should audit telemetry logs for suspicious requests from websdk.appsflyer.com, downgrade to a known‑good SDK version, and investigate any potential compromise. This incident underscores how trusted third‑party SDKs can become vectors for malicious activity, affecting downstream users and applications across the digital ecosystem.