The twin-field quantum key distribution (TF-QKD) and its variants can overcome the fundamental rate-distance limit of QKD. However, their physical implementations with the side channels remain the subject of further research. We test the side channel of a type of external intensity modulation that applies a Mach–Zehnder-type electro-optical intensity modulator, which shows the distinguishability of the signal and decoy states in the frequency domain. Based on this security loophole, we propose a side-channel attack, named the passive frequency-shift attack, on the imperfect implementation of the sending or not-sending (SNS) TF-QKD protocol. We analyze the performance of the SNS protocol with the actively odd-parity pairing (AOPP) method under the side-channel attack by giving the formula of the upper bound of the real secret key rate and comparing it with the lower bound of the secret key rate under Alice and Bob’s estimation. The simulation results quantitatively show the effectiveness of the attack on the imperfect devices at a long distance. Our results emphasize the importance of practical security at the light source and might provide a valuable reference for device selection in the practical implementation of the SNS protocol.