Wikipedia administrator account compromised and temporarily put into read-only mode

by Harleen Quinzellová

A serious security incident occurred across Wikimedia projects, including the online encyclopedia Wikipedia, on March 5, 2026. The issue compromised an administrator account at the Wikimedia Foundation, leading to mass deletion and vandalism of pages across multiple language versions, temporarily putting the entire site into read-only mode and disabling JavaScript.

Wikipedia:Village pump (technical) - Wikipedia
https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#Meta-Wiki_compromised

[MEGATHREAD] Wikimedia wikis locked / Accounts compromised : wikipedia
https://old.reddit.com/r/wikipedia/comments/1rllcdg/megathread_wikimedia_wikis_locked_accounts/

Mass-compromising of admin accounts on meta - Wikipedia
https://wikipediocracy.com/forum/viewtopic.php?f=8&t=14555

The direct cause of the incident was an improper test conducted by Scott Bassett, a security engineer and staff member at the Wikimedia Foundation, using his global account. Bassett was loading a number of external scripts to test global API restrictions for user scripts, and in the process accidentally imported malicious code into his global configuration file.

The malicious code was a script called 'Wikiworm,' created in 2023 to attack Russian alternative wiki projects such as Wikireality and Cyclopedia. According to a comment posted on the social news site Hacker News, the script injected itself into the MediaWiki:Common.js page to ensure global persistence, and also into individual User:Common.js pages as a backup. To prevent the infection from being detected, the script also used jQuery to hide UI elements that showed signs of infection.

Furthermore, if an account of an administrator with sufficient privileges were compromised, the attackers were able to activate a more powerful deletion function, such as abusing the Special:Nuke page to delete three articles from the global namespace three times, or combining the delete action with Special:Random to randomly delete an additional 20 articles. This Special:Nuke behavior was performed in a very unusual way, by simply accepting and deleting a list in the search field.

The script in question had been present in Russian Wikipedia user pages since 2024, but had been dormant for a long period of time. However, when a highly privileged Foundation staff account executed the code, it became possible for it to spread to a wide range of systems, starting from Meta-Wiki .

The infected accounts automatically deleted or blanked pages indiscriminately, leaving behind edit summaries such as 'Закрываем проект' ('Closing the Project'). In particular, the infection spread to other administrator accounts who had previously viewed the Meta-Wiki, causing a chain reaction of damage.

Wikimedia's System Administrator (SRE) team took the situation seriously and immediately switched all wiki projects to read-only mode to prevent further damage and spread of the infection. They also forcibly disabled the loading of custom JavaScript by users across the system, and took emergency measures to remove the compromised code and simultaneously verify the security of the system.

Approximately two hours after the incident, at 17:09 UTC on March 5, 2026, the system was deemed safe and restored to normal read/write mode. Unauthorized deletions and edits were quickly restored, and script execution via user settings has now resumed. The Wikimedia Foundation reports that no personal information or passwords of users have been leaked, and that no permanent damage has been avoided.