I have no idea how the attack is happening especially since so little information is known (i have soooo many questions lol), but a couple basic things that should happen imo:
If you're using TAILS or similar, fully wipe usb and reinstall (or just throw away usb and acquire a new one)
Everyone (especially vendors) most DEFINITELY needs to run quality malware software on their computer/phone ASAP. Then this software needs to be continuously running both on your computer/phone (if using Android) and have browser access. Obviously delete anything malicious and then run it again. This isn't full-proof of course, but can find most non zero-day malware, depending on whether you are running software that's cheap/free and shitty or high quality and with well updated definitions...
If you've been affected, then I personally would then fully delete (the app and all associated files) any browser i am using and then reinstall (even if the malware software says you're good. Can never be too careful when it comes to security)
AFTER that, everyone needs to change your email password (even if you just changed it). Another option is getting a new email, but you should fully delete the old one afterwards! You can export contacts to preserve your client/friend/whatever list so this shouldn't be a problem.
You need to set up 2FA on any email provider you use (and anything that provides it really). 2FA CAN be defeated but it's a much harder thing to do and it provides a LOT more security than a password alone. Remember: 2FA won't protect you against a Man-in-the-midde/browser attack it will just add a layer of security to your login credentials.
For vendors: Unless you send out mass emails turn off the default "automatically save contacts" feature. This will prevent hackers from easily harvesting your entire customer list. Also in general, please know that SUBJECT LINES ARE NOT ENCRYPTED EVER (on protonmail or otherwise), only the email body is.
Make it a habit to NEVER click on a link in a browser without first checking to see what the link is. Firefox shows the full link (it appears on bottom left of browser window) when you hover the cursor over it, by default. Not sure about other browsers.
Make sure your email is only associated with activity here, so that no other info is compromised if that email becomes compromised.
Familiarize yourself with phishing scams and how to avoid them. Some basics: Always check the sender email. Do this EVERY time someone emails you. Never click on links in an email or text message. If the link says to go to your protonmail account and update whatever, then just go to your browser and manually log in to your account to see if that's true. I know this can seem tedious and annoying but if you make this a habit the likelihood of being phished is enormously reduced. I personally never click on links in emails even when i know the email sender is valid. If a customer/vendor sends you a temp.pm link, first check to make sure the link is actually a temp.pm (or similar) link, then just copy/paste it in your browser instead of clicking. Other than temp.pm links there's really NO reason a customer or vendor needs to be sending you links ever. All TNs should be copy/pasted not clicked. If something seems off in the way the customer/vendor is suddenly responding then it probably is off. Obviously a lot of phishing scams are more sophisticated and require more vigilance but as a general rule if a person/company is contacting you needing critical info or money or login info, then its always fucking bullshit.
EVERY customer needs to check here and in the vendor threads before ordering. Both to check for email changes and to read up on how the current situation is affecting customers and vendors. This should be happening regardless, but i imagine people get used to just emailing and not checking for current reviews or whatnot.
ALSO: Protonmail allows you to set up IP logs so you can see when people try to log on to your account and from where. This has an obvious anonymity drawback as protonmail will log IP and time of attempted login, so choose this wisely. You can also see who has current sessions with your account and revoke access to any device you want under "Sessions Management." Both of these options are under "Security" in your "Settings."
Again, these are just a couple absolute basics that i would do and vendors should most definitely do imo. I have no way of knowing whether this will prevent this attack from happening but it will definitely cover a lot of bases. Other people will have other things to add hopefully. I mean i know a lot of people who would do a fully wipe and reinstall of OS if this happened to them which is also what i would do. If the problem persists with a vendor after doing the above, that would be an ESSENTIAL thing to happen. Another reason why doing business from a bootable OS on a usb comes in handy.....
Hopefully this helps some!!! Take care all and be safe!!
just sent your pack despite anything. Thanks for the heads up, patient zero 
