alt.hn

3/5/2026 at 4:04:54 PM

Wikipedia in read-only mode following mass admin account compromise

 https://www.wikimediastatus.net

by greyface-

3/5/2026 at 6:24:25 PM

See the public phab ticket: https://phabricator.wikimedia.org/T419143

In short, a Wikimedia Foundation account was doing some sort of test which involved loading a large number of user scripts. They decided to just start loading random user scripts, instead of creating some just for this test.

The user who ran this test is a Staff Security Engineer at WMF, and naturally they decided to do this test under their highly-privileged Wikimedia Foundation staff account, which has permissions to edit the global CSS and JS that runs on every page.

One of those random scripts was a 2 year old malicious script from ruwiki. This script injects itself in the global Javascript on every page, and then in the userscripts of any user that runs into it, so it started spreading and doing damage really fast. This triggered tons of alerts, until the decision was made to turn the Wiki read-only.

by tux3

3/5/2026 at 9:31:49 PM

This is a pretty egregious failure for a staff security engineer

by Ferret7446

3/5/2026 at 9:48:10 PM

Pretty much the definition of a “career limiting event”

by mcmcmc

3/5/2026 at 10:31:17 PM

It's either a a Career Limiting Event, or a Career Learning event.

In the case of a Learning event, you keep your job, and take the time to make the environment more resilient to this kind of issue.

In the case of a Limiting event, you lose your job, and get hired somewhere else for significantly better pay, and make the new environment more resilient to this kind of issue.

Hopefully the Wikimedia foundation is the former.

by modderation

3/5/2026 at 10:13:35 PM

Nobody is going to know who did this, so probably not career limiting in any major way.

by radicaldreamer

3/5/2026 at 10:20:09 PM

They named him in the support ticket linked here somewhere.

> sbassett

by xeromal

3/5/2026 at 10:02:56 PM

They'll be fine, recruiters don't look this stuff up and generally background checks only care about illegal shit.

by xvector

3/5/2026 at 9:50:27 PM

[flagged]

by pocksuppet

3/5/2026 at 9:55:04 PM

Is ok, the AI was going to replace them in a few weeks anyway.

by adxl

3/5/2026 at 6:41:10 PM

Didn't realise this was some historic evil script and not some active attacker who could change tack at any moment.

That makes the fix pretty easy. Write a regex to detect the evil script, and revert every page to a historic version without the script.

by londons_explore

3/5/2026 at 9:12:21 PM

Letting ancient evil code run? Have we learned nothing from A Fire Upon the Deep?!

by jl6

3/5/2026 at 9:58:11 PM

"It was really just humans playing with an old library. It should be safe, using their own automation, clean and benign.

This library wasn't a living creature, or even possessed of automation (which here might mean something more, far more, than human)."

by HoldOnAMinute

3/5/2026 at 9:48:07 PM

I've only just heard of it. But, I already knew to not run random scripts under a privileged account. And thank you for the book suggestion - I'm into those kinds of tales.

by edoceo

3/5/2026 at 10:15:03 PM

I love that book

by xeromal

3/5/2026 at 10:17:47 PM

Or just restore from backup across the board. Assuming they do their backups well this shouldn't be too hard (especially since its currently in Read Only mode which means no new updates)

by Melatonic

3/5/2026 at 9:55:39 PM

Are you sure? Are you $150 million ARR sure? Are you $150 million ARR, you'd really like to keep your job, you're not going to accidentally leave a hole or blow up something else, sure?

I agree, mostly, but I'm also really glad I don't have to put out this fire. Cheering them on from the sidelines, though!

by observationist

3/5/2026 at 7:23:19 PM

True but it does say something that such a script was able to lie dormant for so long.

by jacquesm

3/5/2026 at 8:48:17 PM

Why would anyone test in production???!!!

by outofpaper

3/5/2026 at 9:59:04 PM

There are plenty of ways to safely test in production. For one thing you need to limit the scope of your changes.

by HoldOnAMinute

3/5/2026 at 8:53:11 PM

I have never heard of this kind of insane behaviour before.

by fifilura

3/5/2026 at 9:34:04 PM

Selecting the wrong environment in your test setup by mistake?

I refuse to believe that someone on the security team intentionally tested random user scripts in production on purpose.

by ninth_ant

3/5/2026 at 9:54:46 PM

> I refuse to believe that someone on the security team intentionally tested random user scripts in production on purpose.

Do I have a bridge to sell you, oh boy

by irishcoffee

3/5/2026 at 9:48:38 PM

300 million dollar organization btw

by davidd_1004

3/5/2026 at 9:54:31 PM

I'm guessing, "1> Hey Claude, your script ran this malicious script!"

"Claude> Yes, you're absolutely right! I'm sorry!"

by Fokamul

3/5/2026 at 9:35:01 PM

On one hand, I was about to get irrationally angry someone was attacking Wikipedia, so I'm a bit relieved

On the other hand,

>a Staff Security Engineer at WMF, and naturally they decided to do this test under their highly-privileged Wikimedia Foundation staff account

seriously?

by AlienRobot

3/5/2026 at 8:07:37 PM

wait as a wikipedia user you can just put random JS to some settings and it will just... run? privileged?

this is both really cool and really really insane

by karel-3d

3/5/2026 at 8:15:59 PM

It's a mediawiki feature: there's a set of pages that get treated as JS/CSS and shown for either all users or specifically you. You do need to be an admin to edit the ones that get shown to all users.

https://www.mediawiki.org/wiki/Manual:Interface/JavaScript

by kemayo

3/5/2026 at 8:09:55 PM

Yes, you can have your own JS/CSS that’s injected in every page. This is pretty useful for widgets, editing tools, or to customize the website’s apparence.

by hk__2

3/5/2026 at 8:32:43 PM

It sounds very dangerous to me but who am I to judge.

by karel-3d

3/5/2026 at 8:56:42 PM

It's nothing.

For the global ones that need admin permissions to edit, it's no different from all the other code of mediawiki itself like the php.

For the user scripts, it's no worse than the fact that you can run tampermonkey in your browser and have it modify every page from evry site in whatever way your want.

by Brian_K_White

3/5/2026 at 10:16:02 PM

It is kind of risky - you now have an entire, mostly unreviewed, ecosystem of javascript code, that users can experiment with.

However its been really useful to allow power users to customize the interface to their needs. It also is sort of a pressure release for when official devs are too slow for meeting needs. At this point wikipedia has become very dependent on it.

by bawolff

3/5/2026 at 8:42:31 PM

That is how Mediawiki works. Everything is a page, including CSS and JS. It is not really different than including JS in a webpage anywhere else.

by corndoge

3/5/2026 at 5:07:18 PM

Wow. This worm is fascinating. It seems to do the following:

- Inject itself into the MediaWiki:Common.js page to persist globally, and into the User:Common.js page to do the same as a fallback

- Uses jQuery to hide UI elements that would reveal the infection

- Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

- If an admin is infected, it will use the Special:Nuke page to delete 3 random articles from the global namespace, AND use the Special:Random with action=delete to delete another 20 random articles

EDIT! The Special:Nuke is really weird. It gets a default list of articles to nuke from the search field, which could be any group of articles, and rubber-stamps nuking them. It does this three times in a row.

by nhubbard

3/5/2026 at 9:56:24 PM

There doesn’t seem to be an ulterior motive beyond “Muahaha, see the trouble I can cause!”

by divbzero

3/5/2026 at 5:10:56 PM

As someone on the Wikipediocracy forums pointed out, basemetrika.ru does not exist. I get an NXDomain response trying to resolve it. The plot thickens.

by 256_

3/5/2026 at 5:14:01 PM

Yeah, basemetrika.ru is free now. Should we occupy it? ;)

by pKropotkin

3/5/2026 at 6:42:53 PM

I registered it about 40 minutes ago, but it seems the DNS has been cached by everyone as a result of the wikipedia hack & not even the NS is propagating. Can't get an SSL certificate .

by acheong08

3/5/2026 at 7:44:30 PM

nice work

by bjord

3/5/2026 at 7:00:59 PM

I had looked into its availability too just out of curiosity itself before reading your comment on a provider, Then I read your comment. Atleast its taken in from the hackernews community and not a malicious actor.

Do keep us updated on the whole situation if any relevant situation can happen from your POV perhaps.

I'd suggest to give the domain to wikipedia team as they might know what could be the best use case of it if possible.

by Imustaskforhelp

3/5/2026 at 9:28:58 PM

This community has no malicious actors? :)

by Freak_NL

3/5/2026 at 10:38:22 PM

I'm not malicious at least :)

Pretty public with who I am https://duti.dev/

by acheong08

3/5/2026 at 5:48:57 PM

It means giving money to the Russian government, so no.

If anyone from the Russian government is reading this, get the fuck out of Ukraine. Thank you.

by amiga386

3/5/2026 at 6:22:49 PM

Well done, it's finally over

by dwedge

3/5/2026 at 6:30:03 PM

reg.ru, the most popular registrar, sells .ru domains for $1.65, very little of which goes to the national registry. What is their profit on this domain, a couple of cents?

You have helped to bring peace by approximately zero nanoseconds, while doing absolutely nothing about western countries still buying massive amounts of natural resources from Putin. Tax income on their exports make the primary source of income for the federal budget, which directly funds the military.

Good virtue signaling, though. I'm completely disillusioned with the West, this is nothing new.

by INR18650

3/5/2026 at 8:26:43 PM

I don't think voting with your wallet constitutes virtue signaling, especially at a time when end user boycotting is one of the universally known methods of protest.

by avidruntime

3/5/2026 at 8:38:05 PM

I am a pragmatist so maybe I will never understand this line of thinking. But in my mind, there are no perfect options, including doing nothing.

By doing nothing, you are allowing a malicious actor to buy the domain. In fact I am sure they would love for everyone else to be paralyzed by purity tests for a $1 domain.

All things being equal, yeah don’t buy a .ru domain. But they are not equal.

by janalsncm

3/5/2026 at 6:37:20 PM

[flagged]

by cryptoegorophy

3/5/2026 at 7:51:10 PM

If anyone is genuinely curious about this, they were indeed letting Russian gas through and stopped in 2025:

> On 1 January 2025, Ukraine terminated all Russian gas transit through its territory, after the contract between Gazprom and Naftohaz signed in 2019 expired. [...] It is estimated that Russia will lose around €5bn a year as a result.

https://en.wikipedia.org/wiki/Russia%E2%80%93Ukraine_gas_dis...

by Rendello

3/5/2026 at 6:50:12 PM

You must be fun at parties

by yenepho

3/5/2026 at 7:24:39 PM

They're a ... gas.

by bregma

3/5/2026 at 7:01:43 PM

More fun than GP lol

by DaSHacka

3/5/2026 at 5:48:36 PM

Namecheap won’t sell it which is great because it made me pause and wonder whether it's legal for an American to send Russians money for a TLD.

by Barbing

3/5/2026 at 8:41:41 PM

Namecheap is Ukrainian, of course they won't sell you a .ru domain.

by throw-the-towel

3/5/2026 at 9:27:57 PM

Is it? Wikipedia says:

> Namecheap is a U.S. based domain name registrar and web hosting service company headquartered in Phoenix, Arizona.

and in 2025 they were purchased by:

> CVC Capital Partners plc is a Jersey-based private equity and investment advisory firm

by craftkiller

3/5/2026 at 7:02:45 PM

Pretty sure it is, however, the reverse is actually illegal (for US citizens to provide professional services to anyone residing in Russia) as of like 2022-ish

by DaSHacka

3/5/2026 at 5:18:45 PM

I'm half-tempted to try and claim it myself for fun and profit, but I think I'll leave it for someone else.

What should we put there, anyway?

by 256_

3/5/2026 at 5:28:32 PM

A JavaScript call to window.alert to pause the JavaScript VM.

by speedgoose

3/5/2026 at 5:23:26 PM

Go old school and have the script inject the "how did this get here im not good with computers" cat onto random pages

by gibsonsmog

3/5/2026 at 5:21:06 PM

I'd log requests and echo them back in the page

by gchamonlive

3/5/2026 at 6:21:03 PM

The antinuke

by yreg

3/5/2026 at 5:43:20 PM

> Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

Note while this looks like its trying to trigger an xss, what its doing is ineffective, so basemetrika.ru would never get loaded (even ignoring that the domain doesnt exist)

by bawolff

3/5/2026 at 5:18:12 PM

Wouldn't be surprised if elaborate worms like this are AI-designed

by dheera

3/5/2026 at 5:19:43 PM

I wouldn't be surprised either. But the original formatting of the worm makes me think it was human written, or maybe AI assisted, but not 100% AI. It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.

by nhubbard

3/5/2026 at 5:48:39 PM

I would. AI designed software in general does not include novel ideas. And this is the kind of novel software AI is not great at, because there's not much training data.

Of course it's very possible someone wrote it with AI help. But almost no chance it was designed by AI.

by integralid

3/5/2026 at 9:30:40 PM

I mean....elaborate is a stretch.

by idiotsecant