AppsFlyer Web SDK Hijacked to Spread Crypto-Stealing JavaScript Code

Third‑party software development kits have become a favorite vector for supply‑chain attackers because they sit at the intersection of high traffic and trusted code. AppsFlyer, a leading mobile measurement partner, provides a Web SDK that thousands of marketers embed to track campaign performance. By compromising the SDK’s delivery domain, threat actors injected obfuscated JavaScript that preserved normal analytics functions while silently monitoring browser traffic for cryptocurrency wallet inputs. When a wallet address was detected, the script swapped it with an attacker‑controlled address and exfiltrated the original data, targeting major coins such as Bitcoin, Ethereum, Solana, Ripple, and TRON.

The malicious code was active for a narrow window—roughly from the evening of March 9 to March 11—yet its potential reach was massive given the SDK’s integration in over 100,000 applications worldwide. Researchers from Profero identified the payload by spotting unusual network requests to websdk.appsflyer.com and confirmed that the injected script decoded strings at runtime to evade static analysis. Although AppsFlyer reported no evidence of customer data compromise and the mobile SDK remained untouched, the incident illustrates how a single compromised endpoint can expose end‑users to direct financial loss without any visible warning.

For enterprises, the AppsFlyer episode reinforces the necessity of rigorous SDK governance. Continuous monitoring of third‑party script integrity, strict version control, and rapid rollback capabilities are essential defenses. Organizations should audit telemetry for anomalous requests, employ subresource integrity hashes, and consider sandboxing external SDKs to limit their access to sensitive DOM elements. As the advertising and analytics ecosystems grow, proactive supply‑chain risk management will be a decisive factor in protecting both brand reputation and user assets.