GNAA, a hacker group, claimed responsibility for the attack. The group's Twitter profile earlier today said 8,600 unique Tumblr users were affected.
Tumblr didn't explain what happened but said in a blog post that no accounts were compromised, and users didn't need to take any further action.
"Our sincere apologies for the inconvenience," the company said. "As always, we are going to great lengths to make sure this type of abuse does not happen again."
A spokeswoman later updated CNET at about 10:30 a.m. PT, saying Tumblr engineers "resolved the issue of the viral post attack that affected a few thousand Tumblr blogs earlier today."
When visiting an infected Tumblr site, users would see an expletive-laden post urging them to commit suicide. The spam also said deleting the post would delete the user's Tumblr account. Visitors also saw a pop-up asking them to confirm they wanted to leave the page.
Sophos noted that each affected post had malicious code embedded inside, and it spread sort of like a Web virus. Chester Wisniewski, a Sophos senior security adviser, said someone found a way to bypass Tumblr's filters by possibly hijacking a legitimate message from Tumblr about site maintenance.
He added that such an attack could have been prevented, and that the situation has happened to many other social media sites. Programmers build Web pages that can't be hacked, but there are also tens of thousands of ways to inject code on a page, he said. Sometimes it's difficult for newer companies to identify and plug all of those holes.
"It was preventable, but this type of thing happens to most social media sites at some point in their youth," Wisniewski told CNET. "Hopefully, Tumblr will learn and lock its site down tighter, and we don't [sic] see it happen again."
Cybersecurity has increasingly been a concern for social media, blogs, and other online outlets. The worm by GNAA is only the latest example of such an attack.
Art Coviello, executive chairman of EMC's RSA security business, today made some predictions about the security landscape for 2013. Among his expectations is that hackers will get more sophisticated and national governments will continue to fail to make legislation on rules of evidence and information sharing, as well as reform privacy laws.
In addition, he expects "attack surfaces to continue to expand and any remaining semblance of a perimeter will continue to wither away."
Ultimately, Coviello said, it's "highly likely that a rogue nation state, hacktivists or even terrorists will move beyond intrusion and espionage to attempt meaningful disruption and, eventually, even destruction of critical infrastructure."
The comments are similar to those from John "Mike" McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under presidents George W. Bush and Barack Obama. He told the Financial Times that the U.S. faces the "cyber equivalent of the World Trade Center attack" unless urgent action is taken.
Updated at 10:40 a.m. PT with news about the issue being resolved, analysis by Sophos, and predictions from RSA's Art Coviello, and again at 2:50 p.m. PT with Tumblr's blog post about the incident and comments from a Sophos senior security adviser.