How a JavaScript Worm Hijacked Wikipedia via User Scripts

Global knowledge platform Wikipedia suffered a rare self‑propagating JavaScript worm attack that spread through the wiki's user‑script mechanism, altering page content and inserting destructive scripts, exposing security gaps in user‑generated code.

On 5 March 2026 the Wikimedia Foundation detected a worm that moved across several wiki projects, vandalizing pages and broadly modifying user scripts. BleepingComputer reported the incident as a unique attack on a worldwide knowledge platform.

Worm Propagation Mechanism: Leveraging Core Wiki Features

The worm exploited MediaWiki's core feature—user scripts. Logged‑in users can create custom JavaScript stored in their personal common.js page, which runs automatically when the user visits any wiki page. This convenience became the worm's propagation medium.

Propagation path:

Initial infection: Malicious script was uploaded to the Russian Wikipedia ( ru.wikipedia.org) as early as March 2024.

Accidental trigger: On 5 March 2026 a Wikimedia staff account apparently executed the script while testing the user‑script feature, causing the first spread.

User‑script hijack: The worm altered the User:Username/common.js file of logged‑in users, injecting malicious code.

Global script tampering: It also modified the global MediaWiki:Common.js file, affecting all visitors.

Cross‑project spread: By exploiting shared resources and single sign‑on, the worm moved laterally across Wikipedia, Wiktionary, Wikibooks and other projects.

Attack Impact: Global Knowledge Base Tampered

The worm affected multiple Wikimedia projects, including language versions of Wikipedia, Wiktionary, and Wikibooks.

Destructive actions:

Inserted harmful content into pages, degrading reading experience.

Redirected users to suspicious sites, potentially spreading additional malware.

Embedded persistent code in infected accounts' user scripts.

Emergency response:

Wikimedia engineers quickly restricted editing on the infected projects.

Large‑scale cleanup of altered scripts and pages began.

Review of the user‑script mechanism and consideration of extra security controls.

Because the worm altered scripts rather than the article content database, most encyclopedia content remained intact, but the incident revealed a long‑standing blind spot for users relying on custom scripts.

User Scripts: A Double‑Edged Sword of Convenience and Risk

Since 2004 MediaWiki has offered UserScripts, allowing users to:

Customize interface layout and themes.

Add auxiliary editing tools.

Implement advanced search and navigation features.

Share script code with other users.

However, the feature introduces security risks:

Arbitrary code execution: Scripts run with the current user's privileges and can execute any JavaScript.

Privilege escalation: Modifying the global MediaWiki:Common.js requires specific rights, but many active editors and privileged users possess them.

Cross‑site scripting (XSS): Malicious scripts can leverage single sign‑on to spread across projects.

Audit difficulty: User‑generated scripts lack mandatory security review.

Previous incidents have used similar mechanisms for malicious redirects, cryptomining script injection, and data theft, but this self‑propagating worm demonstrated a far greater scope and stealth.

Security Lessons: Reflections on Platform Design

The Wikipedia JavaScript worm provides key lessons for collaborative platforms:

On user‑generated code:

Implement script signing or sandboxing to limit permissions.

Establish mandatory code‑review processes, especially for global scripts.

Offer safer, feature‑limited customization options to balance convenience and security.

On permission management:

Restrict modification rights for global scripts to only essential accounts.

Apply permission separation to prevent lateral movement via single sign‑on.

Introduce auditing and monitoring for privileged accounts.

On incident response:

Develop automated detection for malicious scripts.

Create rapid response playbooks for user‑script attacks.

Strengthen collaboration with the security community to obtain timely threat intelligence.

Conclusion

As one of the world’s most visited knowledge platforms, Wikipedia’s security sets a benchmark for the internet ecosystem. This JavaScript worm attack shows that even seemingly harmless features can become attack vectors in complex systems. Platforms that rely on user‑generated content and scripts must embed security into every design stage, often making tough trade‑offs between usability and protection.

Wikimedia has pledged to review the user‑script mechanism, and the incident may spur the broader industry to rethink the safety of user‑generated code.

References:

BleepingComputer: Wikipedia hit by self‑propagating JavaScript worm that vandalized pages

Wikimedia Security Advisory (2026‑03‑05)

This article is for security research purposes only; please comply with local laws and regulations.