Full-Time

New Grad Software Engineer

Posted on 3/7/2025

Vapi

Vapi

51-200 employees

Platform for building voice AI agents

Compensation Overview

$150k - $265k/yr

San Francisco, CA, USA

In Person

Category
Software Engineering (1)
Required Skills
React.js
TypeScript
Requirements
  • Experience with Typescript, React, Node or other software development frameworks
  • Communication: You can clearly articulate what's going on to both technical and non-technical stakeholders
  • Organization: You naturally gravitate toward building systems that stand the test of time
  • Quicker learner: You can rapidly ramp up on what a customer's use case and requirements are in order to provide immediate value
  • Self-starter: You take initiative to get shit done and figure out what's the highest value thing to do
Desired Qualifications
  • Bonus: Interest in one day becoming a technical founder of a B2B SaaS company

Vapi provides an infrastructure platform to build and deploy enterprise-grade voice AI agents. Developers use flexible APIs and an SDK to create, test, and deploy voice agents for inbound and outbound calls, using a mix of STT, LLMs, and TTS from integrated or third-party providers to deliver low-latency conversations. Clients can bring their own API keys or use Vapi's models, giving control over cost and performance across industries like healthcare, finance, and travel, from startups to Fortune 500s. The goal is to simplify building scalable voice operations and enable rapid deployment of AI-powered call workflows, with a usage-based pricing model per minute plus telephony and AI costs, differentiating itself through a developer-centric approach and provider-agnostic orchestration.

Company Size

51-200

Company Stage

Series B

Total Funding

$70.1M

Headquarters

San Francisco, California

Founded

2021

Your Connections

People at Vapi who can refer or advise you

Simplify Jobs

Simplify's Take

What believers are saying

  • Ring routing 100% inbound calls validates enterprise production readiness.
  • Enterprise business grew 10x since early 2025.
  • Vapi handles 1 million to 5 million daily calls and over 1 billion total.

What critics are saying

  • Model costs are passed to customers, exposing margins to vendor price hikes.
  • The June 3, 2026 GitHub token compromise exposed release infrastructure weaknesses.
  • Competitors like Bland AI and Retell AI target identical enterprise voice workflows.

What makes Vapi unique

  • Developer-first infrastructure abstracts STT, LLM, TTS, and telephony orchestration.
  • Amazon Ring selected Vapi after evaluating over 40 voice vendors.
  • Vapi reports sub-600ms real-time conversations and enterprise-grade configurability.

Help us improve and share your feedback! Did you find this helpful?

Benefits

Company Equity

401(k) Company Match

Growth & Insights and Company News

Headcount

6 month growth

26%

1 year growth

26%

2 year growth

62%
Vapi
Jun 4th, 2026
Our response to the June 3, 2026 supply chain incident.

Its response to the June 3, 2026 supply chain incident. Team Vapi - Jun 04, 2026 On June 3, 2026, Vapi identified and contained a supply chain incident associated with the Miasma/Shai-Hulud worm that affected repositories in the Vapi GitHub organization. Vapi became aware of the issue via its internal telemetry as soon as the impacted npm packages were deployed, and was able to remove the malicious code, clean, validate, and resolve the incident within a 3-hour window. Based on its investigation, no customer data, customer credentials, Vapi secrets, or keys (beyond the initial compromised access token) were accessed or exfiltrated. Four malicious versions of @vapi-ai/server-sdk were published to npm, but based on its review of npm download data, those versions had zero downloads before they were removed. Vapi Inc. has also not identified evidence that the malicious code executed in its GitHub Actions CI/CD environment. At this time, no customer action is required. Vapi Inc. is sharing more details below about what happened, what Vapi Inc. found, what Vapi Inc. did in response, and what customers can review as an additional precaution. What happened. On June 3, 2026, between approximately 22:56 and 23:30 UTC, an unexpired access token belonging to a developer's personal GitHub account was used to push malicious changes across repositories that account had access to. This included some Vapi repositories. The attack modified repository branch tips and introduced malicious files designed to execute through common developer and CI tooling paths. The malicious changes included scripts and hooks targeting developer tools and package workflows, including npm-related execution path and AI coding assistant configurations. In a limited number of repositories, the compromised account had elevated access. In such repositories where access was allowed, the worm disabled branch protections, preventing them from preventing the push. During the incident, npm indicated that new versions of @vapi-ai/server-sdk had been published. The versions containing the worm were published at approximately 4:30 pm PT / 11:30 pm UTC on June 3, 2026. Vapi Inc. removed and rolled back the malicious npm versions by approximately 7:20 pm PT the same day. Vapi Inc. has no evidence that the malicious code executed through its CI/CD environment, and its platform has not been impacted. What Vapi Inc. found. Based on its investigation: * Vapi Inc. has not identified evidence that customer data was accessed or exfiltrated. * Vapi Inc. has not identified evidence that customer credentials were accessed or exfiltrated. * Vapi Inc. has not identified evidence that Vapi secrets or keys were breached (beyond the initial compromised developer access token). * The malicious @vapi-ai/server-sdk versions had zero downloads before they were removed. * Vapi Inc. has not identified malicious packages published to PyPI, RubyGems, NuGet, Maven, Go, or Packagist as part of this incident. What Vapi Inc. did. After identifying the incident, Vapi Inc. took the following actions: * Removed the malicious npm versions. * Revoked access for the affected GitHub account. * Cleaned identified affected repositories and branches. Vapi Inc. deleted worm artifact branches and verified that the malicious files were no longer present on remediated branches. * Audited GitHub users and applications. Vapi Inc. reviewed GitHub users, access patterns, and authorized applications. Vapi Inc. also deployed an updated, stricter access policy to reduce unnecessary elevated access. * Added additional repository protections. Vapi Inc. hardened branch protections for SDK default branches to block force pushes and branch deletion by default, while preserving required release workflows. * Began rotating Vapi secrets and keys. Although Vapi Inc. has not identified evidence that Vapi secrets or keys were breached, Vapi Inc. is rotating them as a precaution. Customer guidance. Based on what Vapi Inc. know today, no customer action is required. Because the malicious npm versions had zero downloads before removal, Vapi Inc. do not believe customer environments installed these versions from npm. As a precaution, customers may review package manifests, lockfiles, and internal package mirrors for the following versions: * @vapi-ai/[email protected] * @vapi-ai/[email protected] * @vapi-ai/[email protected] * @vapi-ai/[email protected] If any of these versions are present in your environment, remove them and install a current, known-good version of @vapi-ai/server-sdk. If one of these versions was installed or executed in an environment containing credentials, rotate credentials that may have been available in that environment. Vapi Inc. will update this guidance if necessary. Faq. Were customer data or customer credentials compromised? No. Vapi Inc. has not identified evidence that customer data or customer credentials were accessed or exfiltrated. Were Vapi secrets or keys breached? No. Vapi Inc. has not identified evidence that Vapi secrets or keys beyond one initially affected access token were breached. Vapi Inc. is rotating Vapi secrets and keys as a precaution. Were the malicious npm versions downloaded? No. Based on its review of npm download data, the malicious @vapi-ai/server-sdk versions had zero downloads before they were removed. Which npm versions were affected? The affected versions were: * @vapi-ai/[email protected] * @vapi-ai/[email protected] * @vapi-ai/[email protected] * @vapi-ai/[email protected] These versions have been removed or rolled back. Were other Vapi packages affected? Vapi Inc. has not identified malicious packages published to PyPI, RubyGems, NuGet, Maven, Go, or Packagist as part of this incident. The malicious package publishing activity Vapi Inc. identified was limited to the npm versions listed above. Did the malicious code execute in Vapi CI/CD? Vapi Inc. has not identified evidence that the malicious code executed through its CI/CD environment. Why did branch protection not prevent this? The compromised developer account had elevated access to some repositories. In repositories where that access allowed administrator or maintainer bypass, branch protections did not block the push. Vapi Inc. has since reviewed and hardened repository access policies, application access, and branch protection settings. Do customers need to rotate Vapi API keys? Based on its current findings, Vapi Inc. is not requiring customers to rotate Vapi API keys. Customers may choose to rotate keys according to their own security policies. Vapi Inc. will update this guidance if its investigation identifies any reason to rotate customer keys. Did this affect Vapi production services? No, the platform and production services were not impacted. To reiterate, Vapi Inc. did not identify evidence of a breach of customer data, customer credentials, Vapi secrets, or Vapi keys. What is Vapi doing to reduce the risk of this happening again? Vapi Inc. has audited GitHub users and applications, enforced an updated GitHub access policy, added additional protections on SDK default branches, removed malicious npm versions, cleaned identified affected repositories and branches, and begun rotating Vapi secrets and keys. VAPI works continuously to enhance its development, package publishing, and CI/CD controls, including where elevated access and bypass permissions are allowed. What about the StepSecurity report? On June 4, 2026, Vapi Inc. learned about an article from StepSecurity titled "Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp." This article references an event that is relevant to Vapi Inc., specifically mentioning Vapi. Vapi Inc. want to note that Vapi identified and resolved the issue internally and in real-time, even before being aware of this article.

Vapi
May 12th, 2026
AGI is here. Why am I still on hold?

Read AGI is here. Why am I still on hold? on the Vapi blog

Latest Nigerian News
Dec 13th, 2024
Vapi, which helps businesses deploy AI-powered voice agents, raised a $20M Series A from Bessemer, Y Combinator, and others, a source says at a $130M valuation (Kritika Lamba/Reuters)

Vapi, which helps businesses deploy AI-powered voice agents, raised a $20M Series A from Bessemer, Y Combinator, and others, a source says at a $130M valuation (Kritika lamba/reuters).

FinSMEs
Dec 12th, 2024
Vapi Raises $20M in Series A Funding

Vapi raises $20M in Series A funding.

Tech Funding News
Dec 12th, 2024
Vapi raises $20M to deploy AI voice agents to transform customer interactions — TFN

Vapi, a developer platform for deploying Voice AI agents, has raised $20 million in Series A funding.

INACTIVE