The Wikimedia wikis were in read-only mode following a security incident, where a large number of accounts appear to have been compromised. The affected accounts made automated mass edits across pages with the edit summary "Закрываем проект", among potentially other edits. This appears to have started with a compromised JavaScript on the site.
Summary of events:
On 5 March 2026, a Wikimedia Foundation employee accidentally imported a malicious script to his account on Meta-Wiki while testing global API limits for user scripts (see his global.js page history/global.js&action=history)). The malicious script was created in 2023 to attack two Russian-language alternative wiki projects, Wikireality and Cyclopedia. In 2024, user Ololoshka562 created a page on the Russian Wikipedia containing the script used in these attacks. The script, which had been sitting dormant on ruwiki for 1.5 years, then spread to several accounts on Meta, including WMFOffice, and mass-deleted pages in namespaces 0–3, leaving behind an edit summary of "Закрываем проект", Russian for "Closing the project". The staff member, as a global interface administrator, has permission to edit meta:MediaWiki:Common.js, which allowed the script to infect any user who visited Meta-Wiki while it was active. To prevent the script from spreading further, all Wikimedia projects were set to read-only for about 2 hours, and all user JavaScript was temporarily disabled.
Post from WMF staff member on Discord:
Hey all - as some of you have seen, we (WMF) were doing a security review of the behavior of user scripts, and unintentionally activated one that turned out to be malicious. That is what caused the page deletions you saw on the Meta log, which are getting cleaned up. We have no reason to believe any third-party entity was actively attacking us today, or that any permanent damage occurred or any breach of personal information.
We were doing this security review as part of an effort to limit the risks of exactly this kind of attack. The irony of us triggering this script while doing so is not lost on us, and we are sorry about the disruption. But the risks in this system are real. We are going to continue working on security protections for user scripts – in close consultation with the community, of course – to make this sort of thing much harder to happen in the future.
Wow. This worm is fascinating. It seems to do the following: - Inject itself into the MediaWiki:Common.js page to persist globally, and into the User:Common.js page to do the same as a fallback - Uses jQuery to hide UI elements that would reveal the infection - Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru - If an admin is infected, it will use the Special:Nuke page to delete 3 random articles from the global namespace, AND use the Special:Random with action=delete to delete another 20 random articles EDIT! The Special:Nuke is really weird. It gets a default list of articles to nuke from the search field, which could be any group of articles, and rubber-stamps nuking them. It does this three times in a row.
Source: https://news.ycombinator.com/item?id=47264202
For some reason, basemetrika.ru was not a registered domain. I have now registered it and thus hopefully nobody else will be able to use it for malicious purposes. If the wikimedia foundation would like to take the domain off me, they can contact me at acheong@duti.dev.
My personal site is https://duti.dev and you can find more about who I am there. Just a random guy, not a hacker.