Supply Chain Attacks Are Getting Sneakier: What This Week's SDK Hijacking Teaches Us
Supply Chain Attacks Are Getting Sneakier: What This Week’s SDK Hijacking Teaches Us
I’ve been tracking some concerning developments in supply chain security this week, and honestly, the sophistication of these attacks is starting to keep me up at night. Between the AppsFlyer SDK compromise and the evolving GlassWorm campaign, it’s clear that attackers are getting much better at weaponizing our development tools against us.
The AppsFlyer Wake-Up Call
Let’s start with the big one: AppsFlyer’s Web SDK was temporarily hijacked to distribute crypto-stealing JavaScript. If you’re not familiar with AppsFlyer, they’re a major mobile attribution and marketing analytics platform used by thousands of companies worldwide.
What makes this particularly nasty is the blast radius. When you compromise a widely-used SDK like this, you’re not just hitting one target – you’re potentially affecting every website that includes that SDK. The attackers injected malicious code designed to steal cryptocurrency, and given AppsFlyer’s reach, we’re talking about potential exposure across thousands of sites.
The scary part? Most developers trust these third-party SDKs implicitly. We include them in our builds, often without rigorous ongoing monitoring of what they’re actually doing. This incident is a harsh reminder that every external dependency is a potential attack vector.
GlassWorm’s Evolution Shows Attacker Innovation
Speaking of supply chain sophistication, the GlassWorm campaign has taken an interesting turn. Instead of embedding malicious code directly in each extension, the attackers are now abusing extensionPack and extensionDependencies in the Open VSX registry to create transitive infections.
This is clever – and concerning. By using legitimate dependency mechanisms, they’re making their malicious extensions look more authentic. An extension might appear completely benign on its own, but when installed, it pulls in other extensions that contain the actual payload. It’s like a Russian nesting doll of malware, and it makes detection significantly harder.
The fact that 72 extensions were involved shows this isn’t some script kiddie operation. This level of coordination and persistence suggests we’re dealing with a well-resourced threat actor who understands our development ecosystem intimately.
Chrome Zero-Days Remind Us Browsers Are Prime Targets
On a related note, Google patched two Chrome zero-days that were being actively exploited. CVE-2026-3909 affects the Skia graphics library, while the second targets the V8 JavaScript engine. Both are high-severity vulnerabilities that could allow remote code execution through crafted HTML pages.
What’s particularly interesting is that these vulnerabilities target core browser components that process content from every website you visit. The Skia vulnerability, with its CVSS score of 8.8, allows out-of-bounds memory access – exactly the kind of primitive attackers love for building reliable exploits.
If you’re managing Chrome deployments, make sure you’re pushing these updates immediately. The fact that these were being exploited in the wild means attackers already have working exploits.
The Stryker Attack Shows Living-off-the-Land Tactics
The Iran-linked attack on Stryker demonstrates another troubling trend: attackers using legitimate administrative tools instead of traditional malware. In this case, they used existing endpoint management software to wipe devices, disrupting manufacturing and shipping operations.
This “living-off-the-land” approach is particularly challenging for our detection systems. When attackers use tools that are supposed to be there, traditional IOC-based detection falls short. It requires us to focus more on behavioral analysis and understanding what normal administrative activity looks like in our environments.
Google’s Bug Bounty Numbers Tell a Story
On a more positive note, Google paid out $17 million in bug bounty rewards in 2025, with over $3.7 million going to Chrome vulnerabilities alone and $3.5 million for cloud security issues.
These numbers tell us two things: first, that Google is serious about finding and fixing vulnerabilities before attackers do. Second, that there are still plenty of bugs to be found, even in mature products like Chrome. The fact that cloud security commanded such a large portion of the payouts reflects the reality of where our critical infrastructure lives today.
What This Means for Our Defense Strategy
Looking at these incidents together, a few patterns emerge. Supply chain attacks are becoming more sophisticated and harder to detect. Attackers are getting better at using our own tools against us. And even with massive investments in security, new vulnerabilities continue to surface in critical software.
For those of us defending networks, this reinforces the need for defense in depth. We can’t just trust that our third-party dependencies are secure – we need monitoring and controls that can detect when they’re compromised. We need behavioral analysis that can spot when legitimate tools are being misused. And we need rapid patch management processes that can respond to zero-day disclosures.
The threat landscape isn’t just evolving – it’s professionalizing. Our defenses need to keep pace.
Sources
- AppsFlyer Web SDK hijacked to spread crypto-stealing JavaScript code
- GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers
- Google Paid Out $17 Million in Bug Bounty Rewards in 2025
- Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping
- Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8