My Malware Story Gets Stolen; Yet Another Argument for the IndieWeb
A few days after writing about a weird malware campaign, I discovered that half a dozen cybersecurity news outlets had picked up the story. They now outrank me on Google. A metacommentary on the state of internet journalism, attribution, and what it says that a netsec industry has to rely on amateurs to break stories.
few days ago, I wrote [a breakdown of a pretty bizarre malware campaign](https://brennan.day/the-curious-case-of-the-triton-malware-fork/) targeting users of [Triton](https://github.com/otaviocc/Triton), a tiny indie macOS app for [omg.lol](https://home.omg.lol) with just over 100 GitHub stars. The short version is that someone forked it, jammed a malicious ZIP link into the README about fifteen times, and somehow thought this would fool macOS users into downloading a Windows virus. It didn't, and it was kind of funny.
What happened next, though, surprised me far more. I found the Triton Malware Fork write-up on over half a dozen other websites. Now, I'm not new to my work being freebooted (sometimes I've [found myself living in Shillong, India](https://blog.connectquest.co.in/webdev/28-01-2026/analysis-what-i-have-learned-being-on-the-indieweb-for-a-mon.php)) but this was on a whole other level.
When an amateur breaks a story, the SEO machine wins.
## The Search Problem
To start, I did what any egomaniac would do after writing something they're proud of: I googled it. And I found my article buried below a small pile of professional-looking cybersecurity outlets who picked up the story and now rank higher than the original source.
Here's the lineup, roughly in order of how they handled it:
**[GBHackers](https://gbhackers.com/triton-app-discovered-on-github/)** cited me. They used my screenshots with captions that read "Source: brennan.day" and linked directly back to my post. This is a lot closer to proper attribution, but still doesn't take into account the "share-alike" of my licensing (I'll speak more on that later.)
**[Cyber Security News](https://cybersecuritynews.com/malicious-fork-of-legitimate-triton-app/)** credited me as "Security researcher Brennan" and linked back directly. They're also, as it turns out, the de facto upstream source that much of the rest of the aggregation chain pulled from.
**[Simply Secure Group](https://simplysecuregroup.com/malware-in-the-wild-as-malicious-fork-of-legitimate-triton-app-surfaces-on-github/)** is a Florida-based managed security company published their own writeup and at the bottom explicitly labeled CSN as the "original article." My site is linked once in the body, as "Security researcher Brennan." So by the time my findings reached Simply Secure Group's audience, the attribution chain was already me → CSN → them: three hops, with my name reduced to a passing reference and brennan.day nowhere in the headline. I am not a security researcher.
**[Teamwin.in](https://teamwin.in/malware-in-the-wild-as-malicious-fork-of-legitimate-triton-app-surfaces-on-github/)** rewrote the story in their own words and didn't name me. They covered the same facts, the same account name, the same hash, the same a
Did you enjoy this article?
Recommend it — Standard Reader surfaces well-loved writing to more readers across the network.