AppsFlyer Web SDK Compromised in 13-Hour Supply Chain Attack
In the early hours of March 9–10, 2026, attackers seized control of the AppsFlyer Web SDK CDN endpoint (websdk.appsflyer.com) via a domain registrar incident and replaced the legitimate SDK with a professionally engineered cryptocurrency-stealing JavaScript payload. Every website loading the AppsFlyer Web SDK from the official CDN during the approximately 13-hour exposure window served the malicious code directly to end users.
AppsFlyer is used by 15,000 businesses worldwide across 100,000+ mobile and web applications. The Web SDK is commonly embedded on checkout pages, payment flows, and fintech platforms — precisely the pages where cryptocurrency wallet addresses are entered.
Timeline
| Time (UTC) | Event |
|---|---|
| March 9, ~20:40 UTC | Attacker DNS redirection goes live — malicious payload begins serving |
| March 9, ~22:45 UTC | Profero researchers detect malicious JavaScript at websdk.appsflyer.com |
| March 10, 2026 | AppsFlyer confirms "domain registrar incident" on status page; customer notifications sent |
| March 10, ~10:30 UTC | AppsFlyer regains control of DNS; malicious payload removed |
| March 11, 2026 | AppsFlyer declares Web SDK safe to use |
Total exposure window: approximately 13–14 hours.
How the Attack Worked
AppsFlyer described the root cause as a domain registrar incident — attackers obtained unauthorized access to the DNS records for appsflyer.com / websdk.appsflyer.com through their domain registrar and redirected all SDK traffic to attacker-controlled infrastructure. The specific credential theft or social engineering method used against the registrar has not been publicly disclosed.
The attack did not involve:
- A breach of AppsFlyer's internal systems
- Access to data stored on AppsFlyer's servers
- Compromise of the mobile SDK
The Malicious Payload: Technical Analysis
Researchers at Feroot Security, Profero, and independent analyst Daniel Smith performed deep analysis of the injected code and described it as a professional-grade interception framework — far beyond a simple clipboard hijacker.
Payload Characteristics
- File size: ~170 KB minified JavaScript
- Encoding: Multi-layered base91-like string obfuscation using 17 distinct shuffled alphabets
- Architecture: Eight named modules with distinct responsibilities
- Anti-analysis: Complete browser console suppression to hide activity from developers
Module Architecture
| Module | Function |
|---|---|
ActuateElements | DOM manipulation |
ConsoleGuard | Suppresses all browser console output |
Destinations | Manages attacker wallet addresses |
KillElements | Removes or disables security-relevant DOM elements |
NetHooksmith | Hooks fetch and XMLHttpRequest to intercept/modify network requests |
XorCipherBytes | XOR-based runtime decryption of encoded strings |
Accounting | Tracks intercepted transactions |
AccountingForTransfer | Manages wallet substitution logic for transfer flows |
Wallet Interception Mechanism
The payload registered five regex-based interceptors, one per cryptocurrency format, that hooked into fetch/XHR response bodies and replaced matching wallet addresses with attacker-controlled addresses. It also monitored form fields and keystrokes for wallet addresses entered by users.
Cryptocurrencies targeted:
| Cryptocurrency | Ticker |
|---|---|
| Bitcoin | BTC |
| Ethereum | ETH |
| Solana | SOL |
| Ripple | XRP |
| TRON | TRX |
A value-threshold filter was likely in place to avoid triggering detection on small or test transactions — the payload appeared to activate only above a minimum transaction value.
Broader Capability
Because the script ran with full page-level access, it had theoretical capability beyond crypto theft:
- Harvesting form inputs (login credentials, PII, payment data)
- Capturing keystrokes submitted to any form on the infected page
- Exfiltrating authentication tokens visible in the DOM or network responses
The actual blast radius of what was captured during the 13-hour window is unknown.
Scale
AppsFlyer serves 15,000 businesses across 100,000+ applications. Any site loading the JavaScript Web SDK during the exposure window was delivering the crypto-stealing payload to every visitor. High-risk sectors include:
- Fintech and DeFi platforms — where cryptocurrency wallet addresses are routinely entered
- E-commerce — checkout flows with payment data
- SaaS platforms — where users may have authenticated sessions
- Healthcare and enterprise — platforms with sensitive form data
The exact number of end users exposed during the 13-hour window has not been quantified. Given the breadth of SDK adoption, the potential reach extends to millions of unique visitors.
Discovery and Response
Profero first detected the malicious payload on March 9, 2026 after observing obfuscated attacker-controlled JavaScript being delivered from the legitimate websdk.appsflyer.com endpoint. Feroot Security and independent researchers subsequently performed full payload dissections and published their findings.
AppsFlyer's response:
- Confirmed the domain registrar incident publicly via their status page
- Notified affected customers
- Regained control of DNS and removed the malicious payload within the exposure window
- Confirmed: no customer data on AppsFlyer's servers was accessed; mobile SDK was unaffected throughout
What To Do If Your Site Uses the AppsFlyer Web SDK
The Web SDK has been confirmed clean since March 11, 2026. However, if your site served the SDK during the March 9–10 exposure window:
- Notify users who transacted on your platform during the window — particularly any who may have entered cryptocurrency wallet addresses
- Review your Web SDK integration — confirm you are loading the SDK from the official CDN with the current version
- Implement Subresource Integrity (SRI) for all third-party JavaScript — SRI hashes would have blocked the injected payload from executing
- Audit CSP headers — a strict Content Security Policy restricts which domains can serve executable scripts
- Consider self-hosting critical SDK dependencies — eliminates CDN-level supply chain risk
- Monitor for anomalous outbound requests to unfamiliar domains from your web pages
Detecting Malicious SDK Activity in Logs
Look for outbound requests from your frontend to domains not in your expected third-party list, particularly during March 9–10, 2026:
# Indicators: unexpected POST requests to non-AppsFlyer domains
# during hours: 2026-03-09T20:40 to 2026-03-10T10:30 UTC
# targeting: cryptocurrency wallet address patterns in request bodies
Structural Takeaway
This attack represents a clean example of how a single point of trust in the web SDK supply chain can be exploited to instantly weaponize tens of thousands of downstream sites. The sophistication of the payload — 8 named modules, polymorphic obfuscation, value-threshold filtering, full console suppression — indicates a well-resourced threat actor with significant development investment.
Organizations relying on third-party JavaScript CDNs should treat this incident as a forcing function for implementing Subresource Integrity verification and regular third-party script audits.
Sources
- BleepingComputer — AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code
- Feroot Security — AppsFlyer's JavaScript SDK Has Been Compromised
- Daniel Smith / Medium — AppsFlyer Web SDK Compromise: Independent Payload Analysis
- GitHub Gist — AppsFlyer SDK compromised 2026-03-10