Wikipedia Hit by Self-Propagating JavaScript Worm

The Wikimedia Foundation suffered an unusual security incident on March 5, 2026, when a self-propagating JavaScript worm began vandalizing pages and hijacking user scripts across Meta-Wiki. The attack lasted just 23 minutes but modified approximately 3,996 pages and compromised the common.js files of 85 users.

How the Worm Activated

The malicious code had been dormant since March 2024, sitting innocuously at User:Ololoshka562/test.js. Wikimedia Foundation staff accidentally triggered it during a routine security review of user-authored code. An employee account testing user-script functionality executed the payload, and the worm immediately began spreading.

The script's propagation mechanism was clever: it injected malicious JavaScript loaders into both a logged-in user's personal common.js file and Wikipedia's global MediaWiki:Common.js, which runs for every visitor. This dual-injection approach meant the worm could spread through both authenticated sessions and site-wide execution.

Rapid Containment

Wikimedia engineers responded within minutes, temporarily restricting editing privileges across all projects while they investigated the scope. The 23-minute window limited the damage, and the foundation confirmed that no permanent data loss occurred and no personal information was exposed.

"The code was active for a 23 minute period," Wikimedia stated in its incident report. "During that time, it changed and deleted content on Meta-Wiki – which is now being restored – but it did not cause permanent damage."

All modified pages have since been reverted to their pre-incident state. The foundation emphasized that this was not an external attack—the malicious code was already present in the system, waiting to be executed.

A Two-Year-Old Threat

Security researchers noted that the script at User:Ololoshka562/test.js was allegedly associated with similar attacks on wiki projects in prior years. The fact that this code sat undetected for two years raises questions about how thoroughly user-contributed scripts are audited, particularly on platforms that allow arbitrary JavaScript execution.

Wikipedia's open editing model extends to user scripts, which power countless productivity enhancements and customizations. But this same flexibility creates risk. Unlike supply chain attacks targeting package managers, wiki-based script injection doesn't require compromising an upstream dependency—the attack surface is the platform itself.

Why This Matters

The incident highlights an often-overlooked attack vector: user-contributed code on platforms with permissive scripting capabilities. Wikipedia isn't alone in this exposure. Any platform allowing custom JavaScript—browser extensions, SaaS tools with plugin ecosystems, or wikis with user scripts—faces similar risks.

For organizations running internal wikis or documentation platforms with scripting support, this serves as a reminder to audit user-contributed code regularly. Organizations unfamiliar with self-propagating malware should review our malware fundamentals guide for context on worm behavior and containment strategies.

The Wikimedia Foundation has not announced specific policy changes following the incident, but the security review that inadvertently triggered the worm suggests increased scrutiny of legacy user scripts is already underway.