A few days ago, I wrote a breakdown of a pretty bizarre malware campaign targeting users of Triton, a tiny indie macOS app for omg.lol with just over 100 GitHub stars. The short version is that someone forked it, jammed a malicious ZIP link into the README about fifteen times, and somehow thought this would fool macOS users into downloading a Windows virus. It didn't, and it was kind of funny.

What happened next, though, surprised me far more. I found the Triton Malware Fork write-up on over half a dozen other websites. Now, I'm not new to my work being freebooted (sometimes I've found myself living in Shillong, India) but this was on a whole other level.

When an amateur breaks a story, the SEO machine wins.

The Search Problem

To start, I did what any egomaniac would do after writing something they're proud of: I googled it. And I found my article buried below a small pile of professional-looking cybersecurity outlets who picked up the story and now rank higher than the original source.

Here's the lineup, roughly in order of how they handled it:

GBHackers cited me. They used my screenshots with captions that read "Source: brennan.day" and linked directly back to my post. This is a lot closer to proper attribution, but still doesn't take into account the "share-alike" of my licensing (I'll speak more on that later.)

Cyber Security News credited me as "Security researcher Brennan" and linked back directly. They're also, as it turns out, the de facto upstream source that much of the rest of the aggregation chain pulled from.

Simply Secure Group is a Florida-based managed security company published their own writeup and at the bottom explicitly labeled CSN as the "original article." My site is linked once in the body, as "Security researcher Brennan." So by the time my findings reached Simply Secure Group's audience, the attribution chain was already me → CSN → them: three hops, with my name reduced to a passing reference and brennan.day nowhere in the headline. I am not a security researcher.

Teamwin.in rewrote the story in their own words and didn't name me. They covered the same facts, the same account name, the same hash, the same attack chain, without crediting where those facts came from. It's legal. The IOCs are just data. But it's the kind of thing I was literally describing in the original article as "legal but unethical." Following the letter of the law while violating the spirit of it.

CISO Whisperer is a security-focused publication with over 5,000 LinkedIn followers. They ran a tidy CISO-friendly summary of the story, also crediting "Security researcher Brennan," and then pushed it out on LinkedIn to their audience. That's actually proper attribution, but it does mean that my story, repackaged into bullet points for the executive class, reached a professional audience that will probably never know this blog exists.

Radar by Offseq and Cyware's Daily Threat Intelligence briefing also picked it up, but as brief blurbs and with proper attribution.

And then there's AdSecVN, a Vietnamese cybersecurity outlet, which published a full translated writeup in Vietnamese. They credited "Security researcher Brennan" and linked back. I genuinely find this one the most interesting of the bunch. It means my write-up ended up being read by Vietnamese security professionals I will never meet, translated into a language I don't speak, embedded in a regional security news ecosystem I had no idea existed. The indieweb is small; the internet, apparently, still isn't.

The irony isn't lost on me. My original article was literally about a chain of credit: Otávio C. made something, someone stole it, and here I am now writing about people not attributing me properly. The turtles go all the way down.

A "Security Expert"?

I'm not a netsec expert. I want to be very clear about that. I don't have a CISSP. I'm not a penetration tester, a malware analyst, or a threat intelligence researcher. I'm a 29-year-old Queer Métis writer and hobbyist developer from Mohkínstsis who found something weird while hanging out in an IRC server and was curious enough to pull the thread.

And yet I broke this story. Not GBHackers, which bills itself as the "#1 Globally Trusted Cyber Security News Platform." Not Cyware, a venture-backed threat intelligence company. Not Cyber Security News, which publishes dozens of articles a day.

Me. A guy whose most relevant prior credential is that he can write rainbow CSS and halfway decent Nunjucks templates.

That's either a really good story about the power of the IndieWeb and curiosity-driven research, or a really concerning one about the state of cybersecurity journalism.

The Death Spiral

The model that sites like these operate on is pretty well-understood. They're essentially aggregators with bylines. They monitor feeds, GitHub, Reddit (r/netsec in particular), and each other. They need to produce fast, SEO-optimized summaries of whatever's circulating. Their business is volume, velocity, and Google rankings. Not original reporting.

This isn't a new. It's the same thing people said about content farms in the early 2010s and the AI-generated SEO slop of today. The mechanics are slightly different but the outcome is the same. The original source gets buried, and the aggregator gets the traffic.

I watched this happen in real-time. GBHackers published their piece on February 17th. I published mine on the 15th. They outranked me in less than two days.

This is the SEO death spiral that kills independent journalism. Original reporting is expensive (in time, if not in money). Aggregation is cheap. And Google, whatever its stated intentions, continues to reward the aggregators. My article has a real canonical URL, a proper Creative Commons license, and actual original analysis. It still loses the ranking war to a managed security company in Fort Lauderdale that ran my findings through a paraphrase engine.

But Why?

Domain Authority is a rough proxy for how much Google trusts a domain based on how many other trusted sites link to it. GBHackers, Cyware, and CISO Whisperer have spent years publishing daily cybersecurity content and accumulating backlinks from other security outlets, government sites, and industry analysts. They all cross-link each other endlessly. The web of mutual citation tells Google these are the places to go for security news, full stop.

My site, by contrast, is a personal blog where I write about the IndieWeb, personal essays, and cultural criticism.

In Google's framework, specifically E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness), cybersecurity content is classified as YMYL ("Your Money or Your Life"). There are the stakes of real-world harm, and Google applies extra scrutiny to who's publishing it. A personal site with no established "topical authority" in security loses the scrutiny battle to a dedicated aggregator even when it is the original source.

GBHackers linking back to me actually helps my domain authority slightly. But they still outrank me on the article they cited me for. I fed them the signal, they packaged it, and Google rewarded the packager.

On Creative Commons

Everything I write is licensed CC BY-SA 4.0. I chose that license after a conversation I wrote about recently about copyleft and protecting free work from corporate exploitation. The BY means you have to credit me. The SA means if you build on my work, you have to share it under the same terms.

The sites that credited me, GBHackers, Simply Secure Group, and CISO Whisperer, are at least in the neighbourhood of what BY requires.

The ones that took the facts and rewrote them without attribution are murkier. As I covered in the original article, facts themselves aren't copyrightable. The specific IOCs, the malware hash, the MITRE ATT&CK mappings? Just data. But the framing, the analysis, the observation about this potentially being an OpenClaw instance, the jokes about how impressively bad the campaign was? That's my writing, and that's what's licensed.

I'm not a lawyer. I'm not going to pursue anything. I made clear in my original story that I wanted it to be spread and shared, because Triton was just one of hundreds of affected repos and nothing seems to be stopping the malicious forkers so far.

But these websites aren't sharing this information to help the situation or spread awareness. They're sharing it to get traffic. This is exactly what I was talking about regarding the good faith vs. bad faith differentiator in my article categorizing the IndieWeb.

I write on the open web because I believe in the open, independent web, and I expect my work to travel. What I'd like, in an ideal world, is for a piece of writing published on a personal 11ty site to be traceable back to me when it ends up in a threat intelligence briefing.

The Indieweb Has a Discovery Problem

If I hadn't been in that omg.lol IRC server and been the one foolish enough to download the .ZIP and run it through VirusTotal and do my write-up and sent that as a report, then GitHub might haven't taken down the fork because the signal was too small. Triton has 100 stars and omg.lol is a beautiful, deliberately small indieweb community.

The indieweb's greatest strength is the smallness, the deliberateness, the human scale. But that's also exactly what makes it invisible to the systems that are supposed to be keeping everyone safe. And when a human does notice something, the discovery reward flows upward to the platforms with better SEO, not back to the community where the original observation happened.

The threat intelligence industry is, like nearly all other industries, subsidized by the free labour of people. Including curious people on personal blogs.

...and I Don't Think it Matters! (How to DeGoogle)

Look, Google sucks. This is not new. Academic researchers at Leipzig University studied it longitudinally and found a clear trend toward AI-generated, repetitive, affiliate-stuffed content crowding out genuine writing. Google rolls out major spam updates repeatedly promising fixes, pledging a 40% reduction in low-quality content. But the spam is still there. The aggregators repackaging my article are still outrank. The cat-and-mouse game has a permanent winner.

The insidious part is how we've all quietly agreed to let one company determine what knowledge is discoverable on the internet. We've outsourced the act of discovery, of curiosity itself, to a system structurally incentivized to show us ads and that increasingly surfaces content generated specifically to satisfy its own ranking signals, not to satisfy us.

The answer is to stop expecting an algorithm to do something that humans used to do better: recommend things to each other.

This is why I've been so loud about the IndieWeb as a genuine practical proposal.

Webrings are circular chains of linked personal sites, curated by a human who actually read and vouched for each member. The IndieWebRing maintained by Marty McGuire is a great starter. The Weird Wide Webring accepts sites that are "unique and weird in some way." There are dozens of them, growing.

Webmentions are a W3C-standard protocol that let one website notify another when it links to it. A peer-to-peer pingback that doesn't require a centralized platform. If the outlets that cited me had Webmentions enabled, I'd have automatically known about each mention the moment it happened, and my readers would have seen them threaded as responses directly on my post.

Human-curated directories like ooh.directory, Phil Gyford's blogroll of active English-language RSS feeds, or The Wild Wild Web, which is a modern Yahoo Directory for non-commercial sites with something to say. A human looked at these sites and decided they were worth your time. One of the best recommendations I could give is Scrolls by Shellsharks, a fantastic newsletter linking to the IndieWeb, Fediverse, and Cybersecurity weekly.

88x31 buttons, the tiny pixelart badges you see primarily on Neocities pages, are a social graph you can actually see. When someone puts your button on their site, they're endorsing you publicly.

Kagi lets you personally uprank or downrank any domain, meaning you could explicitly tell it to weight brennan.day higher than GBHackers when you're looking for the original source of something. Ecosia plants trees and doesn't build a surveillance profile on you. Neither will ever have Google's index size. That's fine.

All of this requires more effort. You have to actually go looking instead of reflexively searching. Like a garden, there's maintenance. Read a blogroll, join a webring, check your RSS reader.

That's the point.

Frictionless instant access to everything isn't unambiguously good. The friction is part of the meaning. The discovery itself carries a human fingerprint.

I want to end this article with two asks. First, star and try out Octavio's app Triton which was the whole reason I wrote my original article. Second, you'll need to be on omg.lol to use it, so consider giving that a whirl too!