Following the article Message Franking via Committing Authenticated Encryption, the internal hash of GCM used for MAC is not collision-resistant, and thus, breaking the binding property (the sender can brute-force a MAC collision in feasible amount of time/space). It's possibly 'cause the hash of GCM is 128-bits, most 128-bits are already broken too nowadays.

Due that vector attack, I must replace AES-GCM entirely. I should use instead better options, such as AES-CBC + Blake2B 512-bits keyed mode, for instance. In the case, it would be an instance of the Encrypt-then-MAC approach of Authenticated Encryption algorithms.

Backwards compatibility will be broken, and I must report that on top of documentation. There's some mitigation on the nocoiner implementation against the GCM hash vector attack. Internally, we use null-padding and Base64 encoding, so it's an hardened hack -- the sender should find a GCM tag collision which still makes the decrypted text "Base64-encoding parseable".

This issue is open to possibly track further discussion.