A JavaScript exploit has allowed all kinds of not-at-all-safe-for-work sites to pop up sites and text through Twitter.com, and force a re-tweet, even if all a user does is move their mouse over a particular link. Update: It's been fixed.
The exploit has spread to thousands of accounts now—some with hardcore porn pop-ups, other with jokey references to the exploit—so stick with a third-party Twitter client for the time being to read and send your short updates. [Link and image via Sophos]
Update: Some have reported that simply visiting Twitter.com, with certain tweets from your followers loaded, could be enough to trigger an incident (that link is Twitter.com, too, but only to a specific no-link tweet). Avoid Twitter.com entirely until the exploit is repaired.
Update 2: Twitter posts that the exploit has been patched, but it's likely still a good idea to let the fix propagate through DNS servers before heading back to Twitter's web client.