The nonprofit that oversees Wikipedia briefly enforced a ‘read-only’ mode on Thursday morning as users spotted code designed to delete articles and place Russian text in the edit summary.
Wikipedia briefly went into “read-only mode” this morning and disabled article editing after a malicious piece of code was detected that could delete entries.
Initially, Wikipedia editors uncovered evidence that the Wikimedia Foundation, the nonprofit that oversees the online encyclopedia, seemed to be fending off a vandalism attempt. An automated attack was traced to a JavaScript program designed to secretly hijack admin accounts and delete random articles.
The attack affected the WMFOffice account, which is tied to the Wikimedia Foundation. When deleting articles, it was found writing in the edit summary, “Закрываем проект,” which means “We are closing the project.” That said, the edits appeared to have been made only on the nonprofit’s Meta-Wiki site dedicated to the foundation’s software projects.
Still, one user traced the vandalism to JavaScript code added to the Russian-language Wikipedia site in March 2024. meaning it had been dormant for nearly two years. The computer code mentions triggering “Special:Nuke,” an extension meant for Wikipedia administrators to delete recently created pages en masse. The script also appears to run the Nuke function in loops to target random articles and includes a function to place a nonexistent “Woodpecker10.jpg” image.
The attack prompted some observers to compare it to a computer worm; if the malicious JavaScript had been loaded on a main Wikipedia or Wikimedia page, it could theoretically hijack the edit functions of any admin account that visited the manipulated sites. The attack also bears similarities to the tactics of a Russian bad actor group that targeted Russian Wiki pages years ago, suggesting the malicious Javascript originated from a much earlier vandalism campaign.
As for why the attack was triggered today, a security-related account for the Wikimedia Foundation was found testing all JavaScript programs on Wikipedia this morning and likely loaded the long-dormant, but malicious Javascript. Hence, it wasn’t a deliberate hacking attempt, but an accidental activation.
In a statement, the nonprofit confirmed the issue. “Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia,” the group told PCMag. “During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.
“The code was active for a 23-minute period,” the nonprofit added. “During that time, it changed and deleted content on Meta-Wiki—which is now being restored—but it did not cause permanent damage. We have no evidence that Wikipedia was under attack or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again.”
