Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
keytar-forked-forked
Advanced tools
keytar - Node module to manage system keychain
A native Node module to get, add, replace, and delete passwords in system's keychain. On macOS the passwords are managed by the Keychain, on Linux they are managed by the Secret Service API/libsecret, and on Windows they are managed by Credential Vault.
Installing
npm install keytar
On Linux
Currently this library uses libsecret so you may need to install it before running npm install.
Depending on your distribution, you will need to run the following command:
- Debian/Ubuntu:
sudo apt-get install libsecret-1-dev - Red Hat-based:
sudo yum install libsecret-devel - Arch Linux:
sudo pacman -S libsecret
Building
- Clone the repository
- Run
npm install - Run
npm testto run the tests
Supported versions
Each release of keytar includes prebuilt binaries for the versions of Node and Electron that are actively supported by these projects. Please refer to the release documentation for Node and Electron to see what is supported currently.
Bindings from other languages
Docs
const keytar = require('keytar')
Every function in keytar is asynchronous and returns a promise. The promise will be rejected with any error that occurs or will be resolved with the function's "yields" value.
getPassword(service, account)
Get the stored password for the service and account.
service - The string service name.
account - The string account name.
Yields the string password or null if an entry for the given service and account was not found.
setPassword(service, account, password)
Save the password for the service and account to the keychain. Adds a new entry if necessary, or updates an existing entry if one exists.
service - The string service name.
account - The string account name.
password - The string password.
Yields nothing.
deletePassword(service, account)
Delete the stored password for the service and account.
service - The string service name.
account - The string account name.
Yields true if a password was deleted, or false if an entry with the given service and account was not found.
findCredentials(service)
Find all accounts and password for the service in the keychain.
service - The string service name.
Yields an array of { account: 'foo', password: 'bar' }.
findPassword(service)
Find a password for the service in the keychain. This is ideal for scenarios where an account is not required.
service - The string service name.
Yields the string password, or null if an entry for the given service was not found.
FAQs
Bindings to native Mac/Linux/Windows password APIs (forked)
We found that keytar-forked-forked demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 06 Sep 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025