The AppsFlyer Web SDK was hijacked this month to deliver malicious JavaScript that swapped copied cryptocurrency wallet addresses with attacker-controlled ones on a segment of customer websites. Feroot disclosed the incident on March 11, and AppsFlyer later said the compromise stemmed from a domain registrar incident that affected only the Web SDK.
According to the disclosure, the malicious code was served from websdk[.]appsflyer[.]com between March 9 and March 10 before it was removed. Feroot said the injected JavaScript monitored clipboard activity and replaced wallet addresses during copy-and-paste actions, allowing attackers to redirect cryptocurrency transfers.
AppsFlyer told BleepingComputer that the incident did not affect its mobile SDKs and was limited to the Web SDK served through the impacted domain. The company said the issue was contained and that no action was required for customers using only mobile implementations.
The compromise turned a trusted third-party script into a delivery mechanism for malicious code on downstream sites that loaded the SDK. Feroot attributed the discovery to its web security monitoring and said the affected script was distributed through AppsFlyer's content delivery path rather than through changes made directly on customer websites.
Cyberwarzone previously reported on other trusted-software compromises, including the Shai-Hulud supply-chain attack that abused npm tokens and the Pulse Secure incident involving a backdoor in VPN software.
