Update: 10:40 AM - Twitter has posted a full explanation of today's incident.
Update: 7AM - Twitter now says that the XSS attack has now been "identified and patched".
We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Already, Favstar has seen more than 24,000 retweets of one particular implementation of the bug. A quick look at the trending topics this morning shows quite how quickly the exploit has spread, with "Exploit", "Security Flaw", "Mouseover", "Onmouseover" and "XSS" taking up five of the top 10 topics. Both Mashable and TechCrunch report having seen the exploit used to open pop-up windows, redirect users to porn sites and simply do "funny, rick-rolling type stuff", but the nature of the exploit appears to be changing quickly as the morning goes on.
Twitter user Judofyr noted earlier this morning that there appeared to be an "ugly XSS hole in Twitter right now" and now says that, as far as he knows, he "started the first worm" but can't say for sure.
For now, if you really need to feed the Twitter addiction, it appears that third-party clients are standing up against the attack, so go with that. But the best bet with the website (although the new Twitter.com doesn't appear affected) is to avoid it until further notice.