Local-first email client with IMAP sync and standalone native app
The Android bootstrap silently transmits diagnostic strings to an unrelated external host. Account startup logs include email metadata and serialize IMAP configuration, which can include the account password.
Package defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/mailx.jsView on unpkg · L53Package source invokes a package manager install command at runtime.
bin/mailx.jsView on unpkg · L2500Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/mailx.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
bin/mailx.jsView on unpkg · L53Package source references a known benign dynamic code generation pattern.
client/app.bundle.jsView on unpkg · L10279Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
bin/lean-accounts.jsView on unpkg · L137Package source references dynamic require/import behavior.
bin/lean-accounts.jsView on unpkg · L136Package source references weak cryptographic algorithms.
bin/build-bundles.mjsView on unpkg · L5Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/mailx.tsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/build-rmfmailto-exe.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
packages/mailx-service/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
packages/mailx-service/index.tsView on unpkgPackage defines install-time lifecycle scripts.
package.jsonView on unpkg · L34Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkg · L34Package source references weak cryptographic algorithms.
bin/build-bundles.mjsView on unpkg · L5Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/mailx.tsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/build-rmfmailto-exe.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
packages/mailx-service/index.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
packages/mailx-service/index.tsView on unpkgSource writes installer persistence such as shell profile or service configuration.
bin/mailx.jsView on unpkg · L53Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
bin/mailx.jsView on unpkg · L53Package source invokes a package manager install command at runtime.
bin/mailx.jsView on unpkg · L2500Source file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/mailx.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
client/app.bundle.jsView on unpkg · L10279Package source references dynamic require/import behavior.
bin/lean-accounts.jsView on unpkg · L136Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
bin/lean-accounts.jsView on unpkg · L137