This file – composer.phar in this plugin has been flagged as malware.
Here is the path to the plugin location – fluent-smtp/includes/libs/google-api-client/build/vendor/firebase/php-jwt/composer.phar
The malware alert says this has a webshell code embedded in it.
I have made sure that this malware file exists in a fresh copy of the plugin downloaded from wordpress.org