[nhubbard]

Wow. This worm is fascinating. It seems to do the following:

- Inject itself into the MediaWiki:Common.js page to persist globally, and into the User:Common.js page to do the same as a fallback

- Uses jQuery to hide UI elements that would reveal the infection

- Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

- If an admin is infected, it will use the Special:Nuke page to delete 3 random articles from the global namespace, AND use the Special:Random with action=delete to delete another 20 random articles

EDIT! The Special:Nuke is really weird. It gets a default list of articles to nuke from the search field, which could be any group of articles, and rubber-stamps nuking them. It does this three times in a row.

[divbzero]

There doesn’t seem to be an ulterior motive beyond “Muahaha, see the trouble I can cause!”

[batiudrami]

A classical virus, from the good old days. None of this botnet/bitcoin mining in the background nonsense.

[mghackerlady]

I've always wanted to make a virus like those of the olden days. I wouldn't do anything malicious with it, but maybe I would deploy it to a friends computer if it wasn't very destructive. What resources are there to learn about viruses?

[aerique]

On the Atari ST we had a boot sector virus that inverted the mouse Y-axis after some random time.

So annoying.

[creatonez]

No one actually knows what the payload from basemetrika.ru contains, though. So it's possible it was originally intended to be more damaging. But no matter what it would have caught attention super fast, so there's probably an upper limit to how sophisticated it could have been.

[256_]

As someone on the Wikipediocracy forums pointed out, basemetrika.ru does not exist. I get an NXDomain response trying to resolve it. The plot thickens.

[pKropotkin]

Yeah, basemetrika.ru is free now. Should we occupy it? ;)

[_lvbh]

I registered it about 40 minutes ago, but it seems the DNS has been cached by everyone as a result of the wikipedia hack & not even the NS is propagating. Can't get an SSL certificate .

[Imustaskforhelp]

I had looked into its availability too just out of curiosity itself before reading your comment on a provider, Then I read your comment. Atleast its taken in from the hackernews community and not a malicious actor.

Do keep us updated on the whole situation if any relevant situation can happen from your POV perhaps.

I'd suggest to give the domain to wikipedia team as they might know what could be the best use case of it if possible.

[Freak_NL]

This community has no malicious actors? :)

[_k2vp]

I'm not malicious at least :)

Pretty public with who I am https://duti.dev/

[_lvbh]

Not quite sure which channels I should reach out via but I've put my email on the page so they can contact me.

Based on timings, it seems that Wikipedia wasn't really at risk from the domain being bought as everything was resolved before NS records could propagate. I got 1 hit from the URL which would've loaded up the script and nothing since.

[bawolff]

Its misinformation that the malicious script loaded that domain. The malicious script did have a url with that domain in it, but it wouldnt load javascript from it (possibly due to a programming mistake/misunderstanding by the author, its kind of unclear what the original intent was)

[bjord]

nice work

[Barbing]

Namecheap won’t sell it which is great because it made me pause and wonder whether it's legal for an American to send Russians money for a TLD.

[throw-the-towel]

Namecheap is Ukrainian, of course they won't sell you a .ru domain.

[craftkiller]

Is it? Wikipedia says:

> Namecheap is a U.S. based domain name registrar and web hosting service company headquartered in Phoenix, Arizona.

and in 2025 they were purchased by:

> CVC Capital Partners plc is a Jersey-based private equity and investment advisory firm

[mkl]

https://news.ycombinator.com/item?id=30504812

Top comment is from the CEO and explains: "We have people on the ground in Ukraine being bombarded now non stop."

[throw-the-towel]

I remember that in 2022 a sizeable part of their workforce was located in Ukraine. Too lazy to search for proof, sorry!

[justsomehnguy]

It is. Just punch it's name in the search box down below.

[DaSHacka]

Pretty sure it is, however, the reverse is actually illegal (for US citizens to provide professional services to anyone residing in Russia) as of like 2022-ish

[Insimwytim]

This is incorrect.

[DaSHacka]

Is it?

https://thewolfgroup.com/blog/executive-order-us-professiona...

[Barbing]

Only certain services?

[256_]

I'm half-tempted to try and claim it myself for fun and profit, but I think I'll leave it for someone else.

What should we put there, anyway?

[speedgoose]

A JavaScript call to window.alert to pause the JavaScript VM.

[Imustaskforhelp]

Looks like someone other from the hackernews community has bought the domain https://news.ycombinator.com/item?id=47263323#47265499

[gibsonsmog]

Go old school and have the script inject the "how did this get here im not good with computers" cat onto random pages

[gchamonlive]

I'd log requests and echo them back in the page

[yreg]

The antinuke

[amiga386]

It means giving money to the Russian government, so no.

If anyone from the Russian government is reading this, get the fuck out of Ukraine. Thank you.

[dwedge]

Well done, it's finally over

[amiga386]

Thanks! For my next trick, I'll solve systemic racism by turning my logo black for a month.

[dwedge]

Make sure you support LGBT rights by superimposing a rainbow over your rainbow, but only in the countries where LGBT people already have rights - it would be bad for business to do it in those other countries.

[SanjayMehta]

"In 2023, the United States imported U3O8 and equivalents primarily from Canada, Australia, Russia, Kazakhstan, and Uzbekistan. The origin of U3O8 used in U.S. nuclear reactors could change in the coming years. In May 2024, the United States banned imports of uranium products from Russia beginning in August, although companies may apply for waivers through January 1, 2028."

https://www.eia.gov/todayinenergy/detail.php?id=64444

[bawolff]

> Vandalizes 20 random articles with a 5000px wide image and another XSS script from basemetrika.ru

Note while this looks like its trying to trigger an xss, what its doing is ineffective, so basemetrika.ru would never get loaded (even ignoring that the domain doesnt exist)

[dheera]

Wouldn't be surprised if elaborate worms like this are AI-designed

[nhubbard]

I wouldn't be surprised either. But the original formatting of the worm makes me think it was human written, or maybe AI assisted, but not 100% AI. It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.

[creatonez]

> It has a lot of unusual stylistic choices that I don't believe an AI would intentionally output.

Indeed. One of those unusual choices is that it uses jQuery. Gotta have IE6 compatibility in your worm!

I'm not sure what to make of `Number("20")` in the source code. I would think it's some way to get around some filter intended to discourage CPU-intensive looping, but I don't think user scripts have any form of automated moderation, and if that were the case it doesn't make sense that they would allow a `for` loop in the first place.

[dheera]

jQuery is still sooo much easier to use than React and whatever other messes modern frameworks have created. As a bonus, you don't have to npm build your JS project, you just double click and it opens and works without any build step, which is how interpreted languages were intended to be.

[integralid]

I would. AI designed software in general does not include novel ideas. And this is the kind of novel software AI is not great at, because there's not much training data.

Of course it's very possible someone wrote it with AI help. But almost no chance it was designed by AI.

[bawolff]

Almost certainly not AI due to the age of when it was written. However its a very simple script. I think its certainly within the realm of AI to write a short script that makes a few api requests.

[streetfighter64]

Turns out it's a pretty rudimentary XSS worm from 2023. If all you have is a hammer, everything looks like a nail; if all you have is a LLM, everything looks like slop?

[idiotsecant]

I mean....elaborate is a stretch.