I've installed and executed (with nodejs) a package from npm: https://www.npmjs.com/package/openssl.js
Somehow I didn't realize that it hasn't a good reputation (almost no activity/stars on twitter, github). Now I'm afraid that it is a scam. The worst case would be that is stealing/encrypting my data or something like that.
I've checked the processes, I/O and network in the activity monitor but nothing interesting. But I would like to have more confidence that everything is okay.
Since it is a Wasm file I cannot just check the source code.
I've tried to decompile with this tool: https://github.com/WebAssembly/wabt but it gives me for all binaries in that project this error: error: @0x00000004: bad magic value
.
Maybe because in the README of the openssl.js package they claim it is build with wasienv toolchain?
Another idea would be install a honeypot and run the same commands in the honeypot. But which honeypot is suitable for this?
// edit
I was able to run wasm2c on this file: src/raw-wasm/openssl.wasm.
But how can I ensure there was no network interactivity?
Here are the first lines of the output: https://pastebin.com/YYHecFAC
User contributions licensed under CC BY-SA 3.0