A significant supply-chain attack has compromised the widely-used AppsFlyer Web SDK, injecting it with malicious JavaScript designed to steal cryptocurrency from unsuspecting users. The attack, discovered by cybersecurity researchers at Profero, involved the official 'websdk.appsflyer.com' domain serving obfuscated, attacker-controlled code. This code functioned as a sophisticated web skimmer, specifically targeting cryptocurrency transactions by intercepting wallet addresses entered on websites and silently replacing them with addresses controlled by the threat actor. This redirection would cause any funds sent by a user to be siphoned directly to the attacker's wallet instead of the intended recipient.
The impact of this breach is exceptionally broad due to AppsFlyer's central role in the digital marketing ecosystem. As a leading Mobile Measurement Partner (MMP), AppsFlyer's SDK is integrated into over 100,000 mobile and web applications used by approximately 15,000 businesses globally. Its primary function is to track marketing campaign performance, user engagement, and attribution. Consequently, any website or application loading the compromised SDK automatically became a potential vector for the malware, exposing a vast and diverse end-user population to financial theft. The incident underscores the catastrophic ripple effects that can originate from a single point of failure in a critical software supply chain.
While Profero researchers confirmed the malicious payload's delivery, key details about the attack remain unclear. The full scope, precise duration, and root cause of the compromise are still unverified. AppsFlyer's official communication has been limited; the company's status page noted only a "domain availability issue" on March 10, 2026, with no explicit confirmation of a security incident. This discrepancy between external researcher findings and the vendor's public statements highlights the challenges in transparency and timely disclosure during active supply-chain threats.
This attack represents a dangerous evolution in the targeting of software development kits (SDKs) and third-party scripts, which are trusted components embedded across the modern web. Organizations relying on such external code must implement robust security measures, including Subresource Integrity (SRI) checks, Content Security Policies (CSP), and continuous monitoring for anomalous behavior in third-party assets. For end-users, the breach is a stark reminder of the risks inherent in cryptocurrency transactions and the importance of double-checking recipient addresses, even on legitimate and familiar websites.
