A newly discovered flaw in OpenPGP.js, a JavaScript cryptography library used by services like Proton Mail, could allow attackers to spoof messages that appear securely signed and encrypted, security researchers said.