Wow. This worm is fascinating. It seems to do the following:
- Inject itself into the MediaWiki:Common.js page to persist globally, and into the User:Common.js page to do the same as a fallback
- Uses jQuery to hide UI elements that would reveal the infection
- Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru
- If an admin is infected, it will use the Special:Nuke page to delete 3 random articles from the global namespace, AND use the Special:Random with action=delete to delete another 20 random articles
EDIT! The Special:Nuke is really weird. It gets a default list of articles to nuke from the search field, which could be any group of articles, and rubber-stamps nuking them. It does this three times in a row.
There doesn’t seem to be an ulterior motive beyond “Muahaha, see the trouble I can cause!”
A classical virus, from the good old days. None of this botnet/bitcoin mining in the background nonsense.
No one actually knows what the payload from basemetrika.ru contains, though. So it's possible it was originally intended to be more damaging. But no matter what it would have caught attention super fast, so there's probably an upper limit to how sophisticated it could have been.
As someone on the Wikipediocracy forums pointed out, basemetrika.ru does not exist. I get an NXDomain response trying to resolve it. The plot thickens.
Yeah, basemetrika.ru is free now. Should we occupy it? ;)
I registered it about 40 minutes ago, but it seems the DNS has been cached by everyone as a result of the wikipedia hack & not even the NS is propagating. Can't get an SSL certificate .
nice work
I had looked into its availability too just out of curiosity itself before reading your comment on a provider, Then I read your comment. Atleast its taken in from the hackernews community and not a malicious actor.
Do keep us updated on the whole situation if any relevant situation can happen from your POV perhaps.
I'd suggest to give the domain to wikipedia team as they might know what could be the best use case of it if possible.
This community has no malicious actors? :)
I'm not malicious at least :)
Pretty public with who I am https://duti.dev/
Not quite sure which channels I should reach out via but I've put my email on the page so they can contact me.
Based on timings, it seems that Wikipedia wasn't really at risk from the domain being bought as everything was resolved before NS records could propagate. I got 1 hit from the URL which would've loaded up the script and nothing since.
Namecheap won’t sell it which is great because it made me pause and wonder whether it's legal for an American to send Russians money for a TLD.
Namecheap is Ukrainian, of course they won't sell you a .ru domain.
Is it? Wikipedia says:
> Namecheap is a U.S. based domain name registrar and web hosting service company headquartered in Phoenix, Arizona.
and in 2025 they were purchased by:
> CVC Capital Partners plc is a Jersey-based private equity and investment advisory firm
https://news.ycombinator.com/item?id=30504812
Top comment is from the CEO and explains: "We have people on the ground in Ukraine being bombarded now non stop."
I'm not questioning whether or not they have Ukrainian employees, I'm questioning the statement "Namecheap is Ukrainian". That post+comment does not address that. McDonalds has employees in Vietnam but McDonalds is not Vietnamese.
I remember that in 2022 a sizeable part of their workforce was located in Ukraine. Too lazy to search for proof, sorry!
It is. Just punch it's name in the search box down below.
Pretty sure it is, however, the reverse is actually illegal (for US citizens to provide professional services to anyone residing in Russia) as of like 2022-ish
I'm half-tempted to try and claim it myself for fun and profit, but I think I'll leave it for someone else.
What should we put there, anyway?
A JavaScript call to window.alert to pause the JavaScript VM.
Looks like someone other from the hackernews community has bought the domain https://news.ycombinator.com/item?id=47263323#47265499
Go old school and have the script inject the "how did this get here im not good with computers" cat onto random pages
I'd log requests and echo them back in the page
The antinuke
It means giving money to the Russian government, so no.
If anyone from the Russian government is reading this, get the fuck out of Ukraine. Thank you.
Well done, it's finally over
"In 2023, the United States imported U3O8 and equivalents primarily from Canada, Australia, Russia, Kazakhstan, and Uzbekistan. The origin of U3O8 used in U.S. nuclear reactors could change in the coming years. In May 2024, the United States banned imports of uranium products from Russia beginning in August, although companies may apply for waivers through January 1, 2028."
https://www.eia.gov/todayinenergy/detail.php?id=64444
[flagged]
If anyone is genuinely curious about this, they were indeed letting Russian gas through and stopped in 2025:
> On 1 January 2025, Ukraine terminated all Russian gas transit through its territory, after the contract between Gazprom and Naftohaz signed in 2019 expired. [...] It is estimated that Russia will lose around €5bn a year as a result.
https://en.wikipedia.org/wiki/Russia%E2%80%93Ukraine_gas_dis...
You must be fun at parties
They're a ... gas.
More fun than GP lol
[flagged]
I don't think voting with your wallet constitutes virtue signaling, especially at a time when end user boycotting is one of the universally known methods of protest.
I am a pragmatist so maybe I will never understand this line of thinking. But in my mind, there are no perfect options, including doing nothing.
By doing nothing, you are allowing a malicious actor to buy the domain. In fact I am sure they would love for everyone else to be paralyzed by purity tests for a $1 domain.
All things being equal, yeah don’t buy a .ru domain. But they are not equal.
> Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru
Note while this looks like its trying to trigger an xss, what its doing is ineffective, so basemetrika.ru would never get loaded (even ignoring that the domain doesnt exist)
Wouldn't be surprised if elaborate worms like this are AI-designed
I wouldn't be surprised either. But the original formatting of the worm makes me think it was human written, or maybe AI assisted, but not 100% AI. It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.
> It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.
Indeed. One of those unusual choices is that it uses jQuery. Gotta have IE6 compatibility in your worm!
I'm not sure what to make of `Number("20")` in the source code. I would think it's some way to get around some filter intended to discourage CPU-intensive looping, but I don't think user scripts have any form of automated moderation, and if that were the case it doesn't make sense that they would allow a `for` loop in the first place.
jQuery is still sooo much easier to use than React and whatever other messes modern frameworks have created. As a bonus, you don't have to npm build your JS project, you just double click and it opens and works without any build step, which is how interpreted languages were intended to be.
I would. AI designed software in general does not include novel ideas. And this is the kind of novel software AI is not great at, because there's not much training data.
Of course it's very possible someone wrote it with AI help. But almost no chance it was designed by AI.
Turns out it's a pretty rudimentary XSS worm from 2023. If all you have is a hammer, everything looks like a nail; if all you have is a LLM, everything looks like slop?
I mean....elaborate is a stretch.