What happened
Security researchers reported that AppsFlyer’s Web SDK briefly served unauthorized JavaScript from an official SDK domain. The injected code reportedly monitored pages for cryptocurrency wallet inputs and replaced legitimate wallet addresses with attacker-controlled addresses.
AppsFlyer confirmed a domain registrar-related incident and said it contained the issue. The vendor also stated that its mobile SDK was not impacted.
Why this matters
This is a high-signal supply-chain style event because it affects downstream sites that trusted a widely deployed third-party SDK.
When analytics or marketing SDK dependencies are compromised, organizations can inherit malicious code without changing their own application codebase.
Potential impacts include:
- direct fund theft through wallet-address substitution,
- user trust damage for affected sites and apps,
- incident response overhead across many downstream teams.
What defenders should do now
- Review web telemetry from the reported exposure window for suspicious calls related to
websdk.appsflyer.com. - Re-validate loaded third-party script hashes and enforce Subresource Integrity (SRI) where feasible.
- Investigate potential wallet-address manipulation events in transaction logs.
- Reconfirm incident communication paths with major third-party SDK vendors.
- Expand software supply-chain monitoring to include client-side JavaScript dependencies.
Bottom line
The AppsFlyer incident is a reminder that third-party SDK trust is part of your attack surface. Teams should treat browser-loaded dependencies with the same rigor as backend packages and continuously monitor for tampering signals.