Wikimedia Foundation/Product and Technology/Product Safety and Integrity/March 2026 User Script Incident

Earlier today (March 5, 2026), Wikimedia Foundation staff were conducting a security review of user-authored code across Wikimedia projects. During that review, we inadvertently activated dormant code that was then quickly identified to be malicious.

The code was active for a 23-minute period. This caused page deletions on Meta-Wiki that have since been restored. To prevent the script from spreading further while we investigated, Wikimedia projects were set to read-only for about 2 hours, and all user JavaScript was temporarily disabled for most of the day.

Affected pages have since been restored, and we believe no permanent damage has occurred as a result of this code. We have no reason to believe that Wikipedia was actively under attack or that personal information was breached as part of this incident.

At this point, the impact of the malicious code has been cleaned up, and user JavaScript has been re-enabled. We are actively developing further security mitigations for user JavaScript in consultation with the community, to make incidents of this kind much more difficult to happen in the future.