"On September 12, MorphiSec notified Avast and Cisco about the malware and both started their own investigations. Avast also contacted law enforcement on the same day."
Considering the circumstances surrounding many other security breaches lately, I at least respect them for making this decision. However... I am curious about:
"On September 18, both Piriform and Cisco’s Talos division made the announcement about the incident."
While yes, they had released the updated version without the malware 3 days earlier, why wait for 6 days to notify the public about the development? I assume that there are probably (still) file repository sites that have older versions available and there might be people who don't get the latest version every time. If law enforcement told them not to release it, I can understand, but beyond that it seems like they should have made an announcement at the very least on the 15th when the command and control servers were shut down.