One of the world’s most trusted knowledge platforms briefly faced chaos this week after a self-propagating JavaScript worm began spreading across Wikimedia projects, altering user scripts and vandalizing thousands of pages.

The incident, which affected multiple sites under the Wikimedia Foundation umbrella, forced engineers to temporarily restrict editing while they worked to contain and remove the malicious code.

A Worm Hidden in Wiki Scripts

The security incident began when a malicious JavaScript file was executed inside the wiki environment. The script leveraged how Wikimedia allows editors to use custom JavaScript files—such as common.js—to personalize the interface. These scripts run in the browser whenever editors access the site.

According to researchers, the worm was designed to self-propagate automatically. Once executed in a logged-in user’s browser, it attempted to modify two critical scripts:

• User-level scripts (User:<username>/common.js) to ensure the malicious loader would run whenever that user browsed the site.
• The global MediaWiki:Common.js script, which runs for all users across the platform.

If a user with elevated privileges loaded the infected script, the worm could spread even faster by modifying the global script and infecting other users automatically.

Thousands of Pages Altered

During its spread, the worm also performed visible acts of vandalism. It automatically edited random pages retrieved via Wikipedia’s Special:Random function and inserted hidden JavaScript loaders within the content.

Investigators found that:

• Approximately 3,996 pages were modified
• About 85 user scripts were overwritten

before engineers detected the activity and began responding to the incident.

Because of the rapid spread, the Wikimedia team temporarily restricted editing across multiple projects while they reverted changes and removed malicious code.

What Triggered the Incident?

Initial analysis suggests the script was first executed during a security review of user-authored code conducted by Wikimedia staff. During that process, dormant malicious code was inadvertently activated.

The foundation later clarified that the worm was active for only about 23 minutes, during which it primarily affected Meta-Wiki pages. Most of the vandalized content has already been restored.

Importantly, the foundation emphasized that:

• There is no evidence of a broader cyberattack
• No personal data or user information was compromised

Rapid Containment

Once the issue was identified, engineers quickly implemented mitigation steps:

• Temporarily disabled editing across affected projects
• Rolled back modified user scripts
• Removed malicious JavaScript loaders
• Restored affected pages from previous revisions

After confirming that the malicious code had been removed, editing capabilities were gradually restored.

Lessons for Open Platforms

The incident highlights the unique security challenges of collaborative platforms like Wikipedia. The same flexibility that allows editors to customize the site with scripts can also introduce risk if malicious code is introduced.

Self-propagating worms in web environments are particularly dangerous because they can spread automatically through user sessions and shared scripts.

Security experts say platforms relying on user-generated code must maintain strong safeguards such as:

• strict script permission controls
• continuous monitoring of shared code repositories
• automated detection of malicious script injections

What Happens Next

The Wikimedia Foundation says it is developing additional safeguards to prevent similar incidents in the future and plans to release further updates through its public incident logs.

While the worm caused temporary disruption and vandalism, the quick response from engineers ensured the incident had no lasting impact on Wikipedia’s infrastructure or user data.