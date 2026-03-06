A recent security incident affected Wikipedia when a self-propagating JavaScript worm began modifying user scripts and vandalizing pages. The problem was first noticed by editors who reported unusual automated edits appearing across the platform. Many pages were suddenly altered with hidden scripts and unwanted content, which raised concerns within the editing community.

The incident was quickly discussed on Wikipedia’s technical discussion forum, known as the Village Pump. Editors observed that several random pages were being changed automatically, and some user script files were also being modified without permission. These edits appeared to contain malicious JavaScript code that could spread from one user to another.

Malicious JavaScript Worm Targets Wikipedia User Scripts and Pages

After the reports surfaced, engineers from the Wikimedia Foundation responded by temporarily restricting editing across multiple Wikimedia projects. This precaution was taken to stop the spread of the worm while investigators analyzed the problem and worked to remove the malicious code. During this time, teams began reverting the unauthorized edits and restoring affected pages.

Initial investigations showed that the problem began when a malicious script hosted on Russian Wikipedia was executed. The script, named test.js, had originally been uploaded in March 2024 and was stored in a user’s script page. According to reports, the file had previously been associated with scripts used in earlier attacks on wiki projects.

The script appears to have been activated earlier in the day while Wikimedia staff were testing user-script functionality as part of a security review. It is still unclear whether the script was executed intentionally during testing, accidentally loaded, or triggered through another method. However, once it was executed, the script began spreading automatically.

The worm worked by injecting malicious JavaScript loaders into two key locations: the user’s personal common.js file and Wikipedia’s global MediaWiki:Common.js file. These files are used to customize the wiki interface and run scripts in editors’ browsers. By modifying them, the worm could run whenever a logged-in editor visited the site.

If a user’s common.js file was changed, the malicious script would automatically load whenever that user browses the wiki while logged in. If the infected user had higher editing privileges, the worm could also modify the global script used by everyone. This allowed the malicious code to spread even faster across the platform.

The script also included another damaging feature. It could automatically select a random page using Wikipedia’s Special: Random function and then edit the page by inserting a large image along with a hidden JavaScript loader. This hidden code would help continue the infection cycle.

Security analysis later showed that nearly 3,996 pages were modified during the incident, and about 85 user script files were replaced. Some pages may also have been deleted during the attack, though the exact number remains unknown.

Engineers worked quickly to contain the issue by removing the injected code and restoring affected pages. They also rolled back many user script files and suppressed the malicious edits so they would no longer appear in public change histories.

According to the Wikimedia Foundation, the malicious code was active for only 23 minutes. During that time, it mainly affected Meta-Wiki pages, which are now being restored. The organization also confirmed that there is no evidence of personal data being accessed or stolen.

Although the situation was resolved quickly, the incident highlights the risks associated with user-generated scripts. Wikimedia has stated that it is developing additional security measures to reduce the chances of similar problems happening in the future.