Bilibili Employee Injected Malicious Code into Web Frontend, Triggering Account Ban Messages

On January 20, a former Bilibili employee named Ni Moucheng used his privileged access to embed malicious JavaScript into Bilibili's web frontend via a personal domain, causing affected users to encounter a fake "your account has been banned" page.

The incident was not caused by a technical vulnerability but by abuse of internal privileges; Bilibili promptly dismissed the employee, removed the malicious script, and began an internal investigation.

Ni was a key contributor to the open‑source DanmakuX Android danmaku engine, which provides efficient rendering, multi‑core optimization, and customizable display options for live‑stream comments.

The injected script was loaded from hxxps://www.jakobzhao.online/main.js and possibly from the employee’s personal blog, both of which now show no DNS resolution.

This attack highlighted shortcomings in Bilibili's code review and release processes, raising concerns about internal security controls and the risk of insider threats.

Users were advised to clear browser caches and cookies to eliminate any residual effects, and the incident sparked extensive discussion on forums about the need for stronger security practices and open‑source transparency.