
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
@qonto/embed-sdk
Advanced tools
Use Qonto Embed in your website with a high level abstraction that will make your integration easy and fast.
npm install @qonto/embed-sdk
or
pnpm install @qonto/embed-sdk
or
yarn add @qonto/embed-sdk
import { initialize } from '@qonto/embed-sdk/common';
const accessToken =
'An access token you have previously generated from your app';
initialize({ accessToken });
Read more about how your users are onboarded and an access token is generated for them in the docs.
import { cards } from '@qonto/embed-sdk/cards';
const newCard = cards.orderCard(cardConfig);
We are in the early stages of the SDK implementation. While we will strongly attempt to avoid breaking changes, we may need to make some in the future. Note that while the SDK is in the v0.x stage, breaking changes might happen. Once we reach v1.0.0, we will follow semantic versioning strictly.
This SDK exposes a set of programmatic features that you can use to interact with Qonto services. These features are
grouped into namespaces under src (cards, sepa-transfers, beneficiaries...) and they mainly export functions that can
be called by SDK users. Most of those functions are wrappers around Qonto's third party REST API, but some have more
complex logic, like opening iframes to perform sensitive actions.
The SDK exposes a set of UI Elements that can be embedded in partners' web applications. These elements are standard Web
Components that can be used in any front-end framework or vanilla JavaScript app. The implementation is done using Lit,
and the components are available under the ui namespace under src.
Now that you have the SDK installed and initialized, you can start using it. Check the documentation for each namespace to get up to speed with the different features available.
FAQs
Library to embed Qonto features in your application
We found that @qonto/embed-sdk demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.