@bobfrankston/rmfmail — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bobfrankston

Keywords

emailimapsmtpmail-clientwebview

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	rapid-publish	AI (publish-pattern): Publisher has 337 versions with automated rapid publishing; consistent pattern for this active project.	ai	2026/05/31
phantom-deps	phantom-dep:@bobfrankston/mailx-store-web	AI (phantom-deps): Same-org scoped package; phantom-dep heuristic false positive for this package.	ai	2026/05/30
source-diff	encoded-string-file:client/android-bootstrap.bundle.js	AI (source-diff): Encoded string is sql-wasm.wasm bundled as base64 via sql.js — standard legitimate pattern.	ai	2026/05/30
phantom-deps	phantom-dep:@bobfrankston/rmf-tiny	AI (phantom-deps): Same-org scoped package; phantom-dep heuristic false positive for this package.	ai	2026/05/30
phantom-deps	phantom-dep:dictionary-en	AI (phantom-deps): Declared but config-only; same-org package pattern, stable false positive.	ai	2026/05/30
source-diff	large-new-source-files	AI (source-diff): Vendored TinyMCE assets and bundle; expected for this email client package.	ai	2026/05/30
source-diff	source-size-tripled	AI (source-diff): Growth from adding TinyMCE and related editor deps; expected.	ai	2026/05/30
source-diff	obfuscated-file:client/android-bootstrap.bundle.js	AI (source-diff): esbuild-style bundle for Android client; standard bundler output pattern.	ai	2026/05/28
npm-metadata	bundled-binaries	AI (npm-metadata): rmfmailto.exe is the package's own mailto: handler binary; present across many versions.	ai	2026/05/28
semgrep	semgrep:new-function-constructor	AI (semgrep): Fires inside bundled Quill editor (quill.js line 2); standard minified library pattern.	ai	2026/05/24
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/tinymce-5/content.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/oxide-dark/content.inline.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/oxide/content.inline.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/tinymce-5-dark/content.inline.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/tinymce-5/content.inline.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/oxide-dark/content.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/oxide/content.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/skins/ui/tinymce-5-dark/content.js	AI (source-diff): Standard TinyMCE vendored skin file; minified CSS-in-JS is expected for this library.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/plugins/emoticons/js/emojiimages.js	AI (source-diff): Standard TinyMCE vendored emoji data file; large minified data is expected.	ai	2026/05/18
source-diff	obfuscated-file:client/lib/tinymce/plugins/emoticons/js/emojis.js	AI (source-diff): Standard TinyMCE vendored emoji data file; large minified data is expected.	ai	2026/05/18
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs a local node script with no network or shell exec; benign setup pattern for this package.	ai	2026/05/10
phantom-deps	phantom-dep:@capacitor/android	AI (phantom-deps): Capacitor deps referenced in config only; stable false positive for this package.	ai	2026/05/10
phantom-deps	phantom-dep:@capacitor/core	AI (phantom-deps): Capacitor deps referenced in config only; stable false positive for this package.	ai	2026/05/10
phantom-deps	phantom-dep:@capacitor/cli	AI (phantom-deps): Capacitor deps referenced in config only; stable false positive for this package.	ai	2026/05/10
phantom-deps	phantom-dep:quill	AI (phantom-deps): Referenced in config files only; stable false positive for this package.	ai	2026/05/10
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IP is 127.0.0.1 in a console.log message directing users to local UI; not an outbound network request.	ai	2026/05/10

Versions (showing 25 of 25)

Version	Deps	Published
1.1.186	27 / 3	2026-05-28
1.1.159	27 / 3	2026-05-26
1.1.158	27 / 3	2026-05-26
1.1.156	27 / 3	2026-05-26
1.1.131	27 / 3	2026-05-23
1.1.106	27 / 3	2026-05-21
1.1.75	27 / 3	2026-05-17
1.1.33	27 / 3	2026-05-15
1.1.32	27 / 3	2026-05-15
1.1.31	27 / 3	2026-05-15
1.0.705	27 / 3	2026-05-14
1.0.542	22 / 1	2026-05-06
1.0.500	20 / 1	2026-05-04
1.0.499	20 / 1	2026-05-04
1.0.492	20 / 1	2026-05-04
1.0.487	20 / 1	2026-05-04
1.0.486	20 / 1	2026-05-04
1.0.484	20 / 1	2026-05-04
1.0.479	20 / 1	2026-05-03
1.0.476	20 / 1	2026-05-03
1.0.475	20 / 1	2026-05-03
1.0.473	20 / 1	2026-05-03
1.0.472	20 / 1	2026-05-03
1.0.470	20 / 1	2026-05-02
1.0.469	21 / 1	2026-05-02

v1.1.186

2 findings

HIGH Long encoded string in modified file: client/android-bootstrap.bundle.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.159

3 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH Long encoded string in modified file: client/android-bootstrap.bundle.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.158

3 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH Long encoded string in modified file: client/android-bootstrap.bundle.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.156

3 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH Long encoded string in modified file: client/android-bootstrap.bundle.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.131

3 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH Long encoded string in modified file: client/android-bootstrap.bundle.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.106

3 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH New obfuscated file: client/android-bootstrap.bundle.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.75

13 findings

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • bin/rmfmailto.exe

HIGH New obfuscated file: client/android-bootstrap.bundle.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/oxide-dark/content.inline.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/oxide/content.inline.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/tinymce-5-dark/content.inline.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/tinymce-5/content.inline.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/oxide-dark/content.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/oxide/content.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/tinymce-5-dark/content.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/skins/ui/tinymce-5/content.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/plugins/emoticons/js/emojiimages.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: client/lib/tinymce/plugins/emoticons/js/emojis.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.33