A rogue script quietly planted in Russian Wikipedia in March 2024 lay undetected until a Wikimedia Foundation security engineer inadvertently woke it up — triggering a platform-wide editing lockdown and deleting content for nearly half an hour.
Wikipedia went read-only on Thursday morning — not because of a sophisticated outside attack, but because someone on the inside accidentally stepped on a landmine that had been sitting in plain sight for almost two years.
The incident began when a Wikimedia Foundation security engineer, working with a highly privileged account, ran what appears to have been a routine review of user-authored JavaScript across the platform. Rather than isolating scripts in a controlled test environment, the engineer loaded a broad sweep of user scripts directly — and one of them turned out to be a worm.
The malicious script was uploaded to the Russian-language Wikipedia (ruwiki) in March 2024 by an account called Ololoshka562, innocuously named test.js. For 23 months, it did nothing.
Once activated on Thursday, it behaved like a classic worm (self-replicating malicious code that spreads without user interaction): it injected itself into the global JavaScript of each page it touched, then propagated into the personal user scripts of anyone who visited that page while logged in.
The script was specifically built to cause chaos. It invoked Special:Nuke — a legitimate admin tool designed to batch-delete recently created pages — running it in loops to target articles at random.
Deleted edits carried the Russian summary "Закрываем проект" — "We are closing the project." It also attempted to insert a nonexistent image, Woodpecker10.jpg, into pages. Damage was confined to Meta-Wiki, the foundation's internal project coordination site, and has since been restored.
"During that review, we activated dormant code that was then quickly identified to be malicious. The code was active for 23 minutes… it did not cause permanent damage. We have no evidence that Wikipedia was under attack or that personal information was breached." — Wikimedia Foundation statement
The worm's design has led observers to draw comparisons with tactics historically associated with Russian-language Wikipedia vandalism campaigns, suggesting this script may be a remnant of a much earlier, coordinated effort to disrupt the platform. The account that uploaded it has now been permanently blocked.
The deeper story here isn't a hack — it's a process failure. A privileged employee account was used to load arbitrary, unvetted community scripts without the kind of sandboxing (an isolated environment that prevents code from affecting the broader system) that the risk level clearly warranted. The worm exploited exactly that gap. Wikimedia has said it is now developing additional security measures to prevent a repeat.
For regular Wikipedia readers, there was no exposure of personal data and no lasting damage to articles. But for the volunteer editor community — and for anyone who cares about how open platforms audit the enormous amount of user-contributed code they run — Thursday was a pointed reminder that "dormant" is not the same as "gone."