Cybersecurity

Cyber: Wikipedia Hit By Self-propagating Javascript Worm That Vandalized...

2026-03-05 0 views admin
Cyber: Wikipedia Hit By Self-propagating Javascript Worm That Vandalized...

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.

Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.

Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.

According to Wikimedia's Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.

MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:/common.js, which are executed in editors’ browsers to customize the wiki interface.

After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges:

If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.

Source: BleepingComputer

🏷️ Tags

securityattack

More from Cybersecurity

Cyber: Bing AI Promoted Fake Openclaw Github Repo Pushing Info-stealing...

Cyber: Bing AI Promoted Fake Openclaw Github Repo Pushing Info-stealing...

2026-03-05 0
Cyber: Security Nation-state Actor Embraces AI Malware Assembly Line

Cyber: Security Nation-state Actor Embraces AI Malware Assembly Line

2026-03-05 0
Cyber: Tycoon 2fa Goes Boom As Europol, Vendors Bust Phishing Platform

Cyber: Tycoon 2fa Goes Boom As Europol, Vendors Bust Phishing Platform

2026-03-05 0
Cyber: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical 2026

Cyber: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical 2026

2026-03-05 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views