A self-propagating JavaScript worm injected into Wikipedia pages and user scripts, forcing rapid lockdowns and sparking a community-led emergency response.

Continue reading
A self-propagating JavaScript worm began vandalizing pages and injecting hidden scripts across multiple Wikimedia wikis on March 5, 2026, forcing rapid emergency actions and a community lockdown while editors and engineers worked to contain the outbreak.
Editors noticed automated edits that added hidden scripts and visible vandalism to random pages. The edits quickly spread because the malicious JavaScript injected) itself into central/global scripts and into users’ personal gadget scripts, allowing the code to execute for many users and to propagate further. The incident was first flagged on community discussion pages and amplified by volunteers and security watchers.
For a running community thread and first-hand observer notes, see the Reddit megathread tracking the situation.
According to community investigators and discussion on technical forums, the attack used an old malicious script originally observed in 2023 targeting smaller Russian-language wikis. That script can be embedded into a global JavaScript page (for exa,mple a global.js or sysop gadget), which then runs in the browsers of visitors and editors who load pages where the script is active. Once executed, it attempted to persist by copying itself into other user scripts and pages, producing a self-propagating effect. This pattern explains the fast spread and why rolling back a single page did not immediately stop the behavior.
Wikis rely on client-side gadgets and global JavaScript as a feature. That flexibility is powerful, but it also creates an attack surface. A malicious snippet placed in a site-wide script runs with the privileges of the page in every visitor’s browser, which enables both visible vandalism and stealthy persistence. The incident shows how provenance, code review, and least-privilege controls for community-maintained scripts are not optional.
At the time of reporting, multiple Wikimedia projects experienced vandalism or unwanted script insertion. The Wikimedia Foundation and volunteer stewards coordinated to identify and revert affected pages and scripts. The full forensic scope and whether any user accounts were directly compromised were under investigation.
Open, community-driven platforms need layered defenses: automated scanning for suspicious script changes, stricter gating for global site scripts, audit trails with easy rollback, and rapid incident playbooks that include both engineers and community moderators. For projects with community code injection, the human review step matters as much as technical controls.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation