Wikipedia briefly went into “read-only mode” this morning and disabled article editing after a malicious piece of code was detected that could delete entries.
Initially, Wikipedia editors uncovered evidence that the Wikimedia Foundation, the nonprofit that oversees the online encyclopedia, seemed to be fending off a vandalism attempt. An automated attack was traced to a JavaScript program designed to secretly hijack admin accounts and delete random articles.
(Credit: wikimediastatus.net)
The attack affected the WMFOffice account, which is tied to the Wikimedia Foundation. When deleting articles, it was found writing in the edit summary, “Закрываем проект,” which means “We are closing the project.” That said, the edits appeared to have been made only on the nonprofit’s Meta-Wiki site dedicated to the foundation’s software projects.
The edit history showing the Russian text. (Credit: meta.wikimedia.org)
Still, one user traced the vandalism to JavaScript code added to the Russian-language Wikipedia site in March 2024, meaning it had been dormant for nearly two years. The computer code mentions triggering “Special:Nuke,” an extension meant for Wikipedia administrators to delete recently created pages en masse. The script also appears to run the Nuke function in loops to target random articles and includes a function to place a nonexistent “Woodpecker10.jpg” image.
The attack prompted some observers to compare it to a computer worm; if the malicious JavaScript had been loaded on a main Wikipedia or Wikimedia page, it could theoretically hijack the edit functions of any admin account that visited the manipulated sites. The attack also bears similarities to the tactics of a Russian bad actor group that targeted Russian Wiki pages years ago, suggesting the malicious Javascript originated from a much earlier vandalism campaign.
As for why the attack was triggered today, a security-related account for the Wikimedia Foundation was found testing all JavaScript programs on Wikipedia this morning and likely loaded the long-dormant, but malicious Javascript. Hence, it wasn’t a deliberate hacking attempt, but an accidental activation.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
In a statement, the nonprofit confirmed the issue. “Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia,” the group told PCMag. “During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.
“The code was active for a 23-minute period,” the nonprofit added. “During that time, it changed and deleted content on Meta-Wiki—which is now being restored—but it did not cause permanent damage. We have no evidence that Wikipedia was under attack or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again.”
Recommended by Our Editors
(Credit: wikimediastatus.net)
The Wikimedia Foundation’s status page also notes: “The issue has been identified and a fix is being implemented.”
Wikipedia also blocked the account Ololoshka562, which uploaded the malicious JavaScript code nearly two years ago as simply “test.js.”
Editor’s note: This story has been corrected to note the malicious Javascript added the Russian text on the edit summary for affected articles.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
