So yes indeed, there was a malicious diary placed on Daily Kos very early in the morning: people who clicked a link provided by the diarist were directed to a site with a malicious script on it designed to steal your dKos cookies. The "script kiddie" was then able to log in as those users and write comments or diaries under their names, change their signatures, etc.
This isn't the first time a script kiddie has tried to target Daily Kos, and it won't be the last. We delete the attacks, alert the service provider, and take other actions as necessary.
Note that this isn't a "hacking" attempt. Nobody succeeded in actually getting a malicious script on Daily Kos itself (though lord knows, people try on a regular basis.) Nope, this was a "script kiddie" using well-known XSS (cross-site scripting) attacks -- the sort of "trojan horse" attacks that have been common to email spammers and virus writers for years -- and which other sites have unfortunately also had to deal with in their own comments. Since it can't perform a malicious action directly, it relies on tricking you into going to some other site where a malicious script can be run, virus uploaded, etc.
There is an absolute defense against such scripts, though: don't click the link. Don't click ANY link leading away from the site unless you are reasonably certain that it goes to a safe place. This counts for URL shortening services, too: if you see a "shortened" link and you don't know where it goes, DO NOT CLICK. This is true of emailed spam and the entire rest of the internet. This script kiddie was only interested in getting Daily Kos logins... many others are criminals seeking to get your banking information or other information they can use for identity theft. NEVER click on a URL in email, on this site, or on any other site unless you can see where it goes at the bottom of your browser window and can determine that it's probably safe.
As for more immediate advice: first, if you do accidentally click a malicious link, log out of your Daily Kos account immediately. This will invalidate the stolen cookie, thus hopefully limiting the damage caused.
Second, troll rate any posts you see with malicious links... this will allow admins to find and delete them quicker. (Only one trollrate is necessary, just to mark it for us to find.) We'll think of ways to help prevent this sort of vandalism, but offsite attacks like this are very difficult to guard against completely: we can protect users on this site, but we can't protect against all the possible links someone might put up here.
Third, if you're using firefox and want hardcore protection against scripted attacks, try the noscript plugin. It will prevent scripts from running unless you explicitly allow them on a site-by-site basis. Perhaps folks in comments can suggest similar measures for other browsers.
(Oh, and general internet advice -- no matter where you are, never click anything hosted on php0h.com, which has hosted nearly every one of these "script kiddie" attacks over the last year.)
We'll be forcibly logging out all users every once in a while in an effort to wipe the affected cookies. If you get logged out, just log back in. And for pete's sake, be careful what you click.