Security Advisory: Axios NPM Package Supply Chain Compromise [CVE-2026-40175]

Status: Remediated, Monitoring
Severity: Critical
Identifiers: CVE-2026-40175, MAL-2026-2307
Affected Versions: 1.14.1, 0.30.4, 1.7.7*

*This attack did not include v1.7.7. This version’s related security issues were identified separately and included in overall remediation.

Overview: The open source npm package Axios, a Javascript HTTP client library, was compromised in a supply chain attack in March and April 2026. Axios is a popular package depended on by millions of applications and services.

Postmark does not use the affected Axios versions. Customers that use the affected versions for their own applications and services are at risk of compromise. This risk extends to Postmark’s systems.

Remediation: In order to protect both customers and Postmark, the affected versions and v1.7.7 have been blocked at the network level.

Impact: All API requests to the Postmark API using the affected versions and v1.7.7 will return an error.

Required Action Plan:

Update Dependencies (Critical) - Update Axios to a secured version and ensure all vulnerable versions are removed from your applications or services. Note: API requests from blocked versions will now fail at the network level.
Rotate API Tokens (Critical) - Due to the data-exfiltration nature of this compromise, you must rotate ALL server API tokens if your environment has used Axios versions 1.14.1, 0.30.4, or 1.7.7 at any point.
How to rotate Postmark server API tokens: https://postmarkapp.com/support/article/1293-how-to-cycle-a-server-api-token

Review Security Guidance - For detailed steps on identifying if your local or CI/CD environment was breached, refer to the Microsoft Mitigation Guide: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/#mitigation-and-protection-guidance

Security Advisory: Axios NPM Package Supply Chain Compromise [CVE-2026-40175]

Find Your Subscription

Subscribe to Status Updates