![]() |
Email accounts are among the most frequently exposed pieces of personal data in security breaches, which is a major reason why people often find their information circulating online. While using stronger passwords and enabling multi-factor authentication can significantly improve online safety, these measures do not address every risk. In many situations, individuals unintentionally make it easier for attackers to access their information simply by sharing their email address.
Whenever you register for promotional emails, shop online, or sign up for free trials, you are usually required to provide an email address. Using your primary email in these cases increases the likelihood that data brokers will collect and resell your information. In an environment where cybercriminals actively look for such data, even basic details can be exploited. Attackers may use this information for account takeovers, phishing campaigns, financial fraud, or even website misuse. If the same password is reused across platforms, a leaked email-password combination can also provide access to social media accounts and digital banking services.
To reduce this exposure without completely changing how you use email, one effective approach is to adopt a burner email, sometimes called a disposable or temporary email, or an email alias. This is a secondary address created specifically for limited or one-time use. It can be useful for situations where you want to remain anonymous, manage signups separately, or prevent your main inbox from becoming overloaded.
Unwanted emails are a persistent issue for most users. Messages from social media platforms, online stores, and newsletter subscriptions can quickly accumulate, resulting in hundreds of unread emails. This clutter can consume storage space and make it harder to notice important messages. Although users often try to manage this by marking emails as spam or clearing their inbox, these efforts are not always effective. Even after unsubscribing, promotional emails often continue to arrive, forcing users to repeat the same cleanup process frequently.
Because managing a primary email account for personal or professional use can become overwhelming, using a separate email for non-essential activities is one of the most efficient ways to reduce spam. A temporary address dedicated to registrations, shopping platforms, or newsletters helps keep the main inbox organized. In many cases, setting up such an address is straightforward. For example, users of Gmail can create variations of their existing email by adding a “+” symbol followed by a keyword. An address like “username+promotions@gmail.com” will still deliver messages to the main inbox.
Since Gmail does not allow these alias variations to be deleted, users can instead create filters to automatically sort incoming messages. These filters can archive, delete, or label emails associated with specific aliases for later review. Other email providers may offer different methods for creating aliases, and some may not support this feature at all, so users should verify what options are available to them.
A primary email account serves multiple purposes beyond communication. It can store important files, act as a central identity across services, and help manage tasks. Because of this, protecting it from data brokers is critical. Receiving alerts that your email address has appeared on the dark web can be alarming. While such exposure does not necessarily mean your accounts have been directly compromised, it does increase the likelihood of attacks such as credential stuffing, identity theft, and phishing.
Since your main email often acts as the entry point to your digital life, limiting where you share it is essential. When asked to provide an email for purchases, downloads, or anonymous participation, it is safer to avoid using your personal or professional address. Although aliases can help organize incoming messages, they do not fully hide your actual email identity.
For stronger privacy, a true burner email is more effective. This type of account is usually anonymous and not connected to your personal identity. It allows you to send and receive messages without revealing who you are. This can also reduce the effectiveness of phishing attacks, as attackers have less information to craft targeted scams or trick users into sharing sensitive data such as financial details or identification numbers.
Most personal or work email addresses include identifiable elements such as your name or initials, making it easier for others to recognize you. This reduces anonymity. In situations where privacy is important, such as accessing discounts or completing one-time verifications, a fully separate burner account is more suitable.
Unlike simple email forwarding systems or aliases, many burner email services generate completely unique addresses using random combinations of letters, numbers, and symbols. This allows users to interact with unfamiliar platforms or individuals without exposing personal details. Some of these services also automatically delete accounts after a short period or limited usage. Once removed, they typically leave little to no recoverable data in storage systems or broker databases.
Despite their advantages, burner emails are not appropriate for every use case. Knowing when to rely on them is as important as knowing when to use a permanent email. Many disposable email services are designed for speed and convenience, which means they may not include features such as password protection, encryption, or multi-factor authentication. Their primary form of security is simply that they are temporary.
Before using such services, it is important to review their terms and privacy policies. Even if you believe no sensitive information is being shared, these platforms may still collect metadata such as your IP address, which can be used to gather additional insights about your activity.
Hackers targeted Axios, a famous open-source JavaScript library that developers use to oversee HTTP requests. The North Korean gang accessed organizations' systems via malware that opens backdoor access to OS. Hackers targeted two versions of Axios that were downloaded over 183 million times each week; organizations that downloaded it during the particular time period were exposed to the attack.
Hackers with ties to Pyongyang gained access to the account of a software engineer who oversees the open-source program Axios on Tuesday for at least three hours. According to the report, the attackers used that access to send infected updates to any company that had downloaded the software at the time. This caused the software developer to rush to take back control of his account while cybersecurity executives nationwide attempted to determine the extent of the damage.
While the full damage may take months to fix, experts believe that hundreds of thousands of business secrets have already leaked, which can make it one of the worst data breaches.
The North Korean group, suspicious of hacking Axios is called UNC1069. Since 2018, the gang has attacked the finance industry. Mandiant believes that the hackers will "try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,"
Hacking has become a staple of North Korea. The revenue generated from these cyberattacks funds the country’s nuclear and missile programs to the point that these plans are half funded through hacking. In recent years, state-sponsored hackers have stolen billions of dollars from banks and cryptocurrency firms. This includes the infamous (and record-breaking) $1.5 billion crypto theft in 2025 in a single attack.
The recent attack was the most advanced supply chain effort to date, cleaning its tracks after installing the payload on the target device. It made detection difficult for developers who unknowingly downloaded the malicious software. Experts say that UNC1069 is not even trying to hide anymore, they just disappears before detection.
A security incident involving the widely used Axios HTTP library has revealed how attackers are increasingly targeting software maintainers themselves, rather than exploiting code vulnerabilities, to carry out large-scale supply chain attacks.
The issue came to light after Axios maintainers disclosed that an attacker gained access to a contributor’s npm account and used it to publish two compromised versions of the package, 1.14.1 and 0.30.4. These releases included a hidden dependency named plain-crypto-js, which deployed a remote access trojan across macOS, Windows, and Linux systems.
Although the malicious packages were available for only about three hours before being removed, the short exposure window does not reduce the severity. Any system that installed these versions is now considered unsafe. Users have been advised to immediately rotate all credentials, revoke authentication tokens, and assume full compromise of affected environments.
The Axios team confirmed that they have since secured their infrastructure by resetting credentials, cleaning impacted machines, and introducing additional safeguards to prevent similar incidents.
Further investigation by Google Threat Intelligence Group linked the activity to a North Korea-associated threat actor identified as UNC1069. This group, active since at least 2018, is believed to be financially motivated. Attribution was based on malware similarities, including the use of an updated toolset previously tied to the group, as well as overlaps in command-and-control infrastructure observed in earlier operations.
Social Engineering as the Entry Point
The compromise did not begin with a technical flaw. Instead, it started weeks earlier with a carefully orchestrated social engineering attack targeting Axios maintainer Jason Saayman.
Attackers posed as a legitimate organization by replicating its branding, leadership identities, and communication style. They invited the target into what appeared to be a genuine Slack workspace. This environment was not hastily assembled. It contained multiple channels, staged conversations, and curated activity, including links that redirected to real company LinkedIn profiles. Fake user accounts were also created to impersonate employees and known open-source contributors, increasing credibility.
After establishing trust, the attackers scheduled a video meeting that appeared to involve several participants. During the session, the target was shown what looked like a technical issue, specifically a connection-related error. He was then instructed to install an update presented as necessary to resolve the problem.
In reality, this “update” was malicious software that granted the attackers remote access to the system. Once inside, they were able to extract authentication credentials linked to the npm account.
Repeated Tactics Across Multiple Targets
Other maintainers later reported nearly identical experiences. In several cases, attackers attempted to persuade targets to install what they described as a Microsoft Teams software development kit update. When that approach failed, they escalated their efforts by asking victims to execute command-line instructions, including downloading and running scripts via Curl commands.
One such target, Pelle Wessman, described how attackers abandoned the interaction and deleted all communication after he refused to comply.
These methods align with a broader category of attacks sometimes referred to as “ClickFix” techniques, where victims are misled into resolving fake technical issues that ultimately result in malware execution.
Bypassing Security Controls
Because the attackers gained access to already authenticated sessions, they were able to bypass multi-factor authentication protections. This highlights a critical limitation of MFA, which is effective against credential theft but less effective once an active session is compromised.
Importantly, the attackers did not modify Axios’s source code directly. Instead, they inserted a malicious dependency into legitimate package releases, making the compromise significantly harder to detect during routine checks.
A Coordinated Supply Chain Campaign
Research from Socket indicates that this incident is part of a broader, coordinated campaign targeting maintainers across the Node.js ecosystem. Multiple developers, including contributors to widely used packages and even core components, reported receiving similar outreach messages through platforms such as LinkedIn and Slack.
The attackers followed a consistent pattern: initial contact, trust-building within controlled communication channels, followed by staged video calls where victims were prompted to install software or run commands under the pretense of fixing technical issues.
The scale of targeting is particularly concerning. Many of the developers approached are responsible for packages with billions of weekly downloads, meaning a single compromised account can have far-reaching consequences across the global software ecosystem.
Future Outlook
This incident surfaces a new course in attacker strategy. Rather than focusing solely on software vulnerabilities, threat actors are increasingly exploiting human trust within high-impact projects. Open-source software, which underpins much of today’s digital infrastructure, becomes an attractive target due to its widespread adoption and reliance on maintainers.
Security experts warn that such attacks are likely to increase in frequency. Protecting against them will require not only technical safeguards, but also stronger operational discipline, including stricter access controls, hardware-based authentication, and heightened awareness of social engineering tactics.
The Axios breach ultimately demonstrates that in modern supply chain attacks, the weakest link is often not the code, but the people who maintain it.
An upgraded variant of BX RAT, JanelaRAT, can steal cryptocurrency and financial data from financial organizations, trace mouse inputs, log keystrokes, collect system information, and take screenshots.
In a recent report, Kaspersky said, “One of the key differences between these trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims' browsers and perform malicious actions.” The hackers behind the JanelaRAT attacks constantly modify the malware versions by adding new features.
Telemetry data collected by a Russian cybersecurity firm suggests that around 11,695 attacks happened in Mexico and 14,739 in Brazil in 2025. We do not know how many of these led to a successful exploit.
In June 2023, Zscaler first discovered JanelaRAT in the wild, leveraging ZIP archives containing a VBScript to download another ZIP file, which came with a genuine executable and a DLL payload. The hacker then deploys the DLL side-loading tactic to launch the malware.
An analysis by KPMG in 2025 revealed that the malware is circulated via rogue MSI installer files impersonating as a legit software hosted on trusted sites like GitLab.
"Upon execution, the installer initiates a multi-stage infection process using orchestrating scripts written in Go, PowerShell, and batch,” KPMG said. "These scripts unpack a ZIP archive containing the RAT executable, a malicious Chromium-based browser extension, and supporting components."
The scripts are also made to recognize installed Chromium-based browsers and secretly configure their launch parameters to install the extension. The browser add-on collects system data, cookies, browsing history, tab metadata, and installed extensions. It also triggers actions depending upon URL pattern matches.
The recent malware campaign found by Kaspersky reveals that phishing emails disguised as due invoices are used to lure recipients into downloading a PDF file by opening a link, causing the download of a ZIP archive that starts the attack chain, including DLL side-loading to deploy JanelaRAT.
Since May 2024, JanelaRAT malware has moved from VBScripts to MSI installers, which work as a dropper for the trojan via DLL side-loading and build persistence in the victim system by making a Windows Shortcut (LNK) in the Startup folder that leads to the executable.
According to Kaspersky, “The malware determines if the victim's machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input.”
If the inactivity is over ten minutes, “the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user's presence and routine to time possible remote operations," Kaspersky said.
In spite of the fact that the Russian government is intensifying its efforts to reaffirm its control over digital communication channels, unintended consequences of that strategy are becoming evident in a number of critical sectors beyond social media. Significant disruptions to the domestic financial infrastructure have coincided with the sweeping restrictions imposed on the use of virtual private networks widely relied upon for bypassing state-imposed restrictions over the past week.