A recent supply chain incident exposed website visitors to cryptocurrency theft. The AppsFlyer crypto stealer attack involved malicious JavaScript distributed through the company’s Web SDK.
AppsFlyer provides marketing analytics tools used by many websites worldwide. The Web SDK allows companies to track user activity and marketing performance. Because the script loads directly in browsers, it interacts with page elements and user input.
Attackers exploited this trusted component to inject malicious code. The compromised script monitored cryptocurrency transactions and manipulated wallet addresses. The incident demonstrates the risks created by widely used third-party web tools.
Attack Used Compromised Web SDK
The attack targeted the AppsFlyer Web SDK used by websites for analytics and event tracking. Attackers injected malicious JavaScript into the script served to websites.
When a page loaded the compromised SDK, the malicious code executed in the visitor’s browser. The script monitored input fields and page activity related to cryptocurrency payments.
Because the code came from a trusted source, websites loaded it automatically. Site owners did not need to change their own code to become affected.
The malicious script remained active for a limited period before researchers discovered the issue. Security teams quickly investigated the unusual behavior and began containment efforts.
Malware Replaced Cryptocurrency Wallet Addresses
The injected script focused on cryptocurrency transactions. It monitored wallet addresses entered during payment processes.
When the victim copied or entered a wallet address, the script replaced it with an address controlled by the attacker. The change occurred silently within the page.
Victims could unknowingly send funds to the attacker instead of the intended recipient. Because blockchain transactions are irreversible, stolen funds are difficult to recover.
Browser-based attacks like this operate without installing malware on the victim’s device. The malicious code runs directly within the webpage environment.
Incident Linked to Infrastructure Compromise
Investigations suggest the malicious script appeared after attackers interfered with infrastructure used to serve the SDK. During this window, the official script delivered modified JavaScript containing the crypto stealer code.
The malicious version remained active for a short time before the issue was detected. Once identified, security teams removed the compromised code and restored the legitimate script.
Because the attack used trusted infrastructure, many websites unknowingly served the malicious code to visitors.
AppsFlyer Responds to the Incident
AppsFlyer confirmed the incident and began an internal investigation. The company stated that the malicious code was removed shortly after detection.
The company reported that the issue affected the Web SDK used on websites. The mobile SDK used by applications remained unaffected.
AppsFlyer also stated that its internal systems and customer databases were not breached. The attack focused on delivering malicious code through the script served to websites.
The company continues reviewing the event and communicating with affected customers.
Conclusion
The AppsFlyer crypto stealer incident highlights the risks of supply chain attacks in modern web infrastructure. Third-party scripts often run with full access to website pages and user input.
When attackers compromise a widely used component, the impact can spread quickly across many websites. Visitors may face threats without installing any software.
Organizations increasingly depend on external services and analytics tools. This dependence creates new opportunities for attackers targeting shared infrastructure.
Strengthening monitoring and supply chain security will remain critical as web platforms continue integrating third-party services.
0 responses to “AppsFlyer Crypto Stealer Attack Hits Websites Using Web SDK”