lemmy.world is a victim of an XSS attack right now and the hacker simply injected a JavaScript redirection into the sidebar.
It appears the Lemmy backend does not escape HTML in the main sidebar. Not sure if this is also true for community sidebars.
EDIT: as a demo, your web browser is probably telling you that it’s blocked a popup or something, you should see an alert I’ve injected
So any comment or post?
Yes, so you don’t even need to compromise an admin account
So maybe the admin account was compromised as a result of the hack, rather than the other way around?
the hacker could use a cookie stealer injected by the xss to steal the admin account.