AppsFlyer SDK Exploited in New Supply Chain Crypto Attack
Between March 9 and March 11, 2026, attackers had a 48-hour window inside one of the most widely embedded JavaScript libraries on the internet. The AppsFlyer Web SDK — present in over 100,000 web and mobile applications — was quietly rewritten on AppsFlyer’s own CDN to steal cryptocurrency. No perimeter defense would have caught it. No WAF, no firewall, no endpoint agent. The attack lived entirely inside trusted third-party code running in your users’ browsers.
If you operate in fintech, e-commerce, crypto, or any vertical where users enter payment or wallet data, this one is worth your full attention.
AppsFlyer SDK Supply Chain Attack – What Happened?
Attackers injected malicious JavaScript into the AppsFlyer Web SDK hosted on AppsFlyer’s CDN — notably, not the mobile SDK. The compromised code intercepted cryptocurrency wallet addresses entered by end users, silently replacing them with attacker-controlled addresses while exfiltrating metadata: page URLs, timestamps, and user agents. The script continued to perform its legitimate analytics functions throughout, making it exceptionally difficult to detect through conventional means.
As of this writing, no stolen funds have been confirmed. But that’s not the point. The point is that for 48 hours, any business running this SDK was potentially serving malware to its own customers — and most had no way of knowing.
Why This Attack Is So Hard to Stop
This attack didn’t exploit a vulnerability in your code. It exploited your trust in someone else’s.
Developers embed the AppsFlyer SDK directly into their applications. Once integrated, it runs in the background with broad access to user activity and data flows — tracking installs, sign-ups, purchases, and campaign events. That access is what makes it valuable for analytics. It’s also what makes it a high-value target.
Traditional security controls failed here for a simple reason: the script source was already trusted. The malicious logic was heavily obfuscated within code your systems had been told was safe. Signature-based detection, SRI checks on a hash that was never flagged, allowlists — none of these catch an attack that originates from within the trusted source itself.
How Reflectiz Would Have Detected This
Reflectiz doesn’t ask “is this script allowed?” It asks: “Is this script behaving the way it should?”
Behavioral drift in a trusted SDK
The compromised AppsFlyer SDK kept doing its job while running additional malicious logic underneath. Reflectiz monitors runtime behavior continuously, so even when a script comes from a trusted source, it flags anomalies like:
- New or unusual outbound network connections
- External domains appearing for the first time
- Scripts executing logic outside their established behavioral baseline
Here’s what that looks like in practice: a Reflectiz customer running AppsFlyer would have seen an alert that the SDK had initiated connections to an unrecognized domain — something like analytics-appsflyr[.]com or a similarly disguised endpoint — within hours of the compromise. That alert would have been the earliest signal of something wrong, long before any vendor advisory.
Suspicious data flows on sensitive inputs
The injected code was designed specifically to intercept wallet addresses — a form of input that should never leave the page through a marketing SDK. Reflectiz maps data flows in real time and flags when sensitive user inputs are accessed or transmitted by scripts that have no business touching them. This shifts the detection model from access control to behavioral validation.
Hidden third-party dependencies
Supply-chain attacks routinely introduce secondary infrastructure — additional scripts, callbacks, or exfiltration endpoints — that weren’t part of the original integration. Reflectiz surfaces these by revealing which third parties an SDK is calling, whether new entities have appeared in the execution chain, and how far trust is being extended beyond your direct control. In this attack, that visibility would have exposed the malicious backend infrastructure operating behind AppsFlyer’s legitimate facade.
Script integrity monitoring
The simplest signal of all: the script changed. Reflectiz alerts on modifications to third-party scripts, behavioral differences between versions, and unexpected increases in code complexity or obfuscation. In a two-day attack window, real-time detection of a script change is often the difference between catching an incident and reading about it afterward.
The Broader Shift
The AppsFlyer incident follows a now-familiar pattern: Polyfill.io, Magecart, Ticketmaster/Inbenta. In each case, the attack vector wasn’t a misconfiguration or an unpatched CVE — it was trust. A trusted vendor, a trusted CDN, a trusted script.
The security perimeter has moved. It now extends to every third-party component running in your users’ browsers, and the only way to defend it is continuous monitoring of what those components actually do.
That’s what Reflectiz is built for.
If you’re unsure whether AppsFlyer or similar SDKs are running on your properties — and what they’re doing when they get there — request a free website scan.
FAQs
How would a behavioral monitoring platform detect a compromised SDK like AppsFlyer?
A behavioral monitoring platform like Reflectiz does not ask whether a script comes from a trusted source — it observes what that script actually does at runtime. In the AppsFlyer attack, the monitoring platform would flag behavioral anomalies: the SDK suddenly accessing cryptocurrency wallet input fields that it had no historical reason to touch, the script making network calls to endpoints that were not part of its previous behavioral baseline, and data being transmitted to domains not associated with AppsFlyer’s legitimate infrastructure. These behavioral deviations from the script’s established baseline constitute the detection signal — one that is completely independent of the script’s origin or reputation.
Some reports claim the attackers “avoided” certain endpoints to bypass SRI checks. Is this accurate?
Not technically. Subresource Integrity (SRI) is a security feature that allows browsers to verify that a script fetched from a CDN hasn’t been tampered with by comparing its cryptographic hash against a value provided in the HTML. SRI checks the integrity of the script file itself at the moment it is loaded; it does not monitor the behavior or network calls of other endpoints like fvalid.appsflyer.com.
If a website had SRI configured for the AppsFlyer SDK, any modification to the SDK code on the CDN would have caused the hash to mismatch, and the browser would have blocked the script entirely. Therefore, the attackers didn’t “avoid” endpoints to bypass SRI—if SRI was active on the SDK, the attack would have been blocked regardless of which endpoints they used. The claim of an “SRI bypass” in this context is likely a misunderstanding of how the protocol works.
What happened in the AppsFlyer SDK supply chain attack in March 2026?
Between March 9 and 11, 2026, attackers injected malicious JavaScript into the AppsFlyer Web SDK — a widely deployed analytics library present in over 100,000 web and mobile applications — by compromising the file hosted directly on AppsFlyer’s own CDN. The malicious code was designed to intercept cryptocurrency wallet addresses entered by end users and silently replace them with addresses controlled by the attackers, while simultaneously exfiltrating metadata including page URLs, timestamps, and browser user agents. Critically, the script continued performing its legitimate analytics functions throughout the attack window, making it exceptionally difficult to detect through conventional monitoring. The attack persisted for approximately 48 hours before being discovered.
What industries are most at risk from SDK-level supply chain attacks targeting cryptocurrency?
Any organization whose web properties allow users to enter cryptocurrency wallet addresses is directly exposed to attacks like the AppsFlyer SDK compromise. This includes cryptocurrency exchanges, DeFi platforms and Web3 applications, fintech services that support digital asset payments, e-commerce platforms that accept cryptocurrency, and any financial services platform integrating crypto functionality. However, the broader lesson applies across industries: any organization deploying third-party SDKs for analytics, marketing, or user experience collects a hidden attack surface. The SDK category most commonly exploited includes analytics libraries, advertising scripts, and customer engagement tools — all of which typically have broad DOM access and are present on high-traffic pages.
Why did traditional security controls fail to detect the AppsFlyer SDK compromise?
The attack exploited a fundamental assumption that most security architectures make: that code served from a known, trusted source is safe. The AppsFlyer CDN was already allowlisted by every organization using the SDK. Signature-based detection tools had no malicious signature to match because the payload was novel. Subresource Integrity (SRI) checks — which verify that a script’s content matches a known hash — were ineffective because the attack modified the script at its authoritative source; there was no tampered copy to compare against. WAFs and firewalls operate at the network perimeter and have no visibility into what JavaScript actually executes inside the browser. The attack lived entirely within trusted infrastructure that all conventional defenses were configured to permit.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Related Articles
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!
