AppsFlyer’s JavaScript SDK has been compromised in an active supply chain attack. Websites loading the script are serving malicious code to their users without any changes to their own codebase.
What happened
Attackers modified AppsFlyer’s SDK, the script websites load to track marketing attribution. Because the script is served from AppsFlyer’s infrastructure, any site that includes it automatically begins delivering the compromised version to visitors.
Who is affected
Any website that loads the AppsFlyer JavaScript SDK. This includes e-commerce, fintech, healthcare, and SaaS platforms, many of which load the script across every page, including forms and checkout flows.
What the compromised script can access
Scripts run inside the browser with direct access to the page. That includes form fields, keystrokes, authentication tokens, and any data a user submits before it reaches your server.
What to do now
- Confirm whether AppsFlyer loads on any of your pages: check all pages, not just marketing pages
- Remove or block the script until AppsFlyer confirms a clean build
- Review network traffic logs for the past 72 hours for unexpected outbound data calls
- Notify your security and compliance teams if payment or health data was exposed, regulatory reporting obligations may apply
What this illustrates
Third-party scripts run with the same access as your own code, but outside your change management and security review processes. A script that is clean today can be weaponized through a vendor update, a hijacked CDN, or a compromised build pipeline without any action on your part.
PCI DSS 4.0.1 Requirements 6.4.3 and 11.6.1 require continuous inventory and integrity monitoring of scripts on payment pages specifically because of this attack pattern.
A deeper technical analysis of this attack, including indicators of compromise and script behavior patterns, will be published shortly.
Feroot Security monitors script behavior inside browsers in real time. If you want to know what scripts are running on your site and what they’re doing, you request a free scan here.
