Treecapitator plugin shipped Fracturiser malware
Part of the Fracturiser mod campaign stole player credentials campaign
An account with publishing rights on BukkitDev for a popular plugin implementing 'Treecapitator' functionality was compromised. A malicious JAR file containing the 'Fracturiser' malware was uploaded, appearing as an update.
Story
Treecapitator shows why Fracturiser was not only a CurseForge problem. The affected distribution surface was BukkitDev, another trusted route for Minecraft server plugins.
The attacker used publishing rights for a familiar plugin name and uploaded a malicious JAR as though it were a normal update. Server operators and players were conditioned to trust that path.
The payload matched the wider Fracturiser chain: a Java entry point inside a mod or plugin archive, followed by staged malware aimed at credentials and host compromise on Windows and Linux systems.
The BukkitDev angle widened the response problem. Defenders could not limit their search to CurseForge modpacks; they also had to check plugin folders and server-side JARs that might execute under a different Minecraft workflow.
This record is kept separate because the package scope and platform differ. The campaign groups the shared malware family; the Treecapitator entry records the Bukkit plugin distribution path responders needed to search.
Affected Artifacts
Treecapitator (Bukkit Plugin)
- Observed
- 2023-05-01 to 2023-06-08
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:5584ac1f8b713d2f6310bd3cde425b775402fbc70e56e5e8d774bec15703ca79
Incident Context
- Motive
- Credential Theft
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- No
- Actor
- Cybercriminal Gang
External References
- June 2023 - Infected mods detection toolsupport.curseforge.com
- CurseForge compromised mods alertprismlauncher.org
- Infected Minecraft mods lead to multi-stage, multi-platform infostealer malwarebitdefender.com
Source record: oss/attacks/treecapitator/meta.yaml