Voiceyfy is an AI-powered voice and chat agent platform that answers business phone calls 24/7 using natural-sounding AI. It books appointments, qualifies leads, handles emergencies, routes calls to humans, logs interactions in CRMs, and supports 22 languages with Auto Language Switch (including 7 Indian regional languages), all without any coding required. Built by Spicyfy Ventures LLC, it serves over 100 industries worldwide including healthcare, legal, home services, real estate, and hospitality.

How much does Voiceyfy cost?

Voiceyfy starts at $39/month when billed annually, or $49/month billed monthly. All plans include unlimited AI voice and chat agents, booking calendar, CRM pipeline, analytics dashboard, knowledge base, and 22-language support with Auto Language Switch. A 14-day free trial is available with no credit card required and no contracts. Enterprise plans with custom pricing are also available.

What industries does Voiceyfy work for?

Voiceyfy serves 100+ industries including: Healthcare (dental clinics, medical practices, veterinary, chiropractic, mental health, optometry, med spas), Legal (law firms, accounting, tax preparation), Financial (insurance agencies, mortgage brokers, real estate, financial advisors), Home Services (HVAC, plumbing, electrical, roofing, pest control, landscaping, cleaning, painting, pool maintenance, home security), Automotive (auto repair, car dealerships, tire service), Hospitality (hotels, restaurants, event venues, vacation rentals), Education (daycare, tutoring, driving schools), Beauty (hair salons, nail salons, gyms), and Professional Services (IT support, staffing agencies, property management, event planning). The highest ROI industries are healthcare, home services, legal, and real estate due to their high call volumes and appointment-heavy workflows.

How is Voiceyfy different from Retell AI and Vapi?

Voiceyfy is designed for business owners, not developers. Unlike Retell AI and Vapi which require coding expertise and API integration, Voiceyfy offers: (1) No-code setup in under 15 minutes, (2) Built-in CRM pipeline, booking calendar, and analytics dashboard, (3) Self-train AI agent builder with no developers needed, (4) Flat monthly pricing starting at $39/month vs. per-minute pricing, (5) 22 languages with real-time Auto Language Switch (including 7 Indian languages) vs. limited language support, (6) Live human handoff and advanced call routing included, (7) Outbound AI calling campaigns built-in. Voiceyfy is the only SMB voice AI platform supporting Hindi, Telugu, Tamil, Bengali, Marathi, Kannada, and Malayalam.

Does Voiceyfy support multiple languages?

Yes, Voiceyfy supports 22 languages with real-time Auto Language Switch. The AI detects the caller's language within one second and switches the entire conversation automatically. Same call, no interruption, no lost context. Supported languages include English, Spanish, French, German, Italian, Portuguese, Dutch, Japanese, Korean, Chinese, Arabic, Russian, Polish, Turkish, Swedish, and 7 Indian regional languages (Hindi, Telugu, Tamil, Bengali, Marathi, Kannada, Malayalam). Voiceyfy is the only SMB voice AI platform supporting Indian regional languages, ideal for diverse US markets like Houston (Spanish), Los Angeles (Korean/Spanish), Chicago (Polish/Hindi), and Indian-American business communities nationwide.

How does Voiceyfy's AI voice sound? Will customers know it's AI?

Voiceyfy uses advanced natural voice synthesis, not robotic IVR. The AI speaks in a warm, human-like voice with natural cadence, pauses, and conversational flow. Most callers cannot tell the difference from a human receptionist. You choose whether to disclose it is AI-powered. You can preview the voice quality with our live demo line before signing up.

What happens if a call is too complex for the AI?

Voiceyfy features advanced call routing with live human handoff. When a call is too complex, involves an emergency, or the caller requests a human, the AI intelligently routes the call to the right team member in real time via SIP transfer with a full call summary and context. The human agent sees the AI's conversation log and caller details, so the customer never has to repeat themselves. This seamless AI-to-human transfer works as a built-in safety net for every call.

Does Voiceyfy support outbound AI calling?

Yes. Voiceyfy fully supports outbound AI calling including proactive follow-up calls, appointment reminders and confirmations, lead re-engagement campaigns, estimate/quote follow-ups, post-service feedback calls, and multi-step outreach campaigns. You can upload a contact list, set the campaign schedule, and the AI calls each contact with a personalized conversation. Outbound calling is included in all plans.

How do I set up Voiceyfy?

Setup takes under 15 minutes with three simple steps: (1) Forward your existing business phone number to Voiceyfy (no new number needed), (2) Upload your services, pricing, hours, FAQs, and booking rules to the knowledge base, (3) The AI starts answering calls immediately, 24/7. No coding, no developers, no complex configuration required. You can also use the Self-Train AI Agent feature to fine-tune the AI's responses with your specific business context.

Where does Voiceyfy work? Is it available outside the US?

Voiceyfy works globally. The platform supports phone numbers and businesses in the United States, Canada, United Kingdom, Australia, India, UAE, Singapore, Germany, France, Spain, Italy, Japan, South Korea, Brazil, Mexico, South Africa, and 50+ other countries. With 22-language support and Auto Language Switch, Voiceyfy automatically detects and responds in the local language of any market, including 7 Indian regional languages. There are no geographic limitations. If your business receives phone calls, Voiceyfy can answer them.

Is Voiceyfy HIPAA compliant?

Yes, Voiceyfy is designed with healthcare privacy in mind. The platform supports HIPAA-compliant AI voice interactions for medical practices, dental clinics, mental health clinics, chiropractic offices, and other healthcare providers. Patient data is handled securely with encryption, access controls, and audit logging. Contact the Voiceyfy team for a Business Associate Agreement (BAA) if required.

How does Voiceyfy compare to traditional answering services?

Voiceyfy replaces traditional answering services at a fraction of the cost. Traditional answering services charge $1,500-5,000/month with limited hours and inconsistent quality. Voiceyfy starts at $39/month and provides: 24/7/365 availability with zero wait times, instant appointment booking, CRM integration, multilingual support, outbound calling campaigns, and consistent quality on every call. The AI never calls in sick, never puts callers on hold, and handles unlimited simultaneous calls.

What happened to the axios npm package in March 2026?

On March 31 2026, attackers attributed to the North Korea-linked group UNC1069 obtained the npm access token of the lead axios maintainer. They published two backdoored versions — axios@1.8.4 and axios@0.30.0 — which contained a phantom dependency called plain-crypto-js. When developers ran npm install, a postinstall hook fired the SILKBELL dropper, which downloaded the WAVESHAPER.V2 RAT in approximately 1.1 seconds and then self-destructed to cover its tracks.

Is axios safe to use in 2026?

Yes, axios is safe to use as long as you are not on the compromised versions. The safe versions are axios@1.8.3 (v1 branch) and axios@0.30.3 (legacy v0 branch). The poisoned versions axios@1.8.4 and axios@0.30.0 have been removed from npm. Update your package.json and commit your lockfile.

How do I check if my project was affected by the axios supply chain attack?

Run "npm list axios" to see your current version. Then run "git log -p -- package-lock.json | grep plain-crypto-js" to check if the phantom dependency ever appeared in your lockfile history. If that command returns anything, the dropper ran on your machine. Also check for RAT artifacts: /Library/Caches/com.apple.act.mond on macOS, /tmp/ld.py on Linux, and %PROGRAMDATA%\wt.exe on Windows.

What should I do if I was running axios@1.8.4 or axios@0.30.0?

Immediately downgrade to axios@1.8.3 or axios@0.30.3. Block sfrclak.com and 142.11.206.73:8000 at your firewall to cut off any active C2 communication. Check for RAT artifacts on disk. If you find any, treat the machine as fully compromised: disconnect it from the network, rotate every credential that was ever present on it (npm tokens, SSH keys, API keys, cloud credentials, database passwords), and rebuild from a clean image.

What is the plain-crypto-js npm package?

plain-crypto-js is a malicious npm package created by the attackers behind the axios supply chain attack. It was injected as a phantom dependency into axios@1.8.4 and axios@0.30.0. Its postinstall hook fired the SILKBELL dropper, which downloaded the WAVESHAPER.V2 remote access trojan. Legitimate axios has only three dependencies: follow-redirects, form-data, and proxy-from-env. The presence of plain-crypto-js in your lockfile history is definitive evidence of compromise.

How can I prevent npm supply chain attacks in the future?

Add ignore-scripts=true and save-exact=true to your .npmrc file. Run "npm config set min-release-age 3" to block packages published fewer than 3 days ago. Use "npm ci" instead of "npm install" in CI/CD pipelines. Consider switching to pnpm or bun, which do not run lifecycle scripts by default. Integrate a supply chain analysis tool like Socket.dev into your pipeline — it detected this attack in 6 minutes.

Axios npm Supply Chain Attack 2026: Detection, Fix & Hardening Guide

Active Threat - April 2, 2026

Running axios@1.8.4 or axios@0.30.0? You need to act now. Downgrade to axios@1.8.3 or axios@0.30.3, rotate every credential on affected machines, and block sfrclak.com and 142.11.206.73 at your firewall. Full steps below.

If you write JavaScript, you almost certainly use axios. It is the go-to HTTP library for everything from small React apps to large Node.js backends, pulling in over 100 million downloads every week. On the night of March 31, 2026, someone turned it into a weapon.

The group behind the attack is tracked as UNC1069, a financially motivated crew with ties to North Korea that has been active since 2018. They obtained a long-lived npm token belonging to the main axios maintainer, jasonsaayman, swapped the account email to a Proton Mail address they controlled, then quietly pushed two poisoned releases in a 39-minute window before anyone spotted what was happening.

What set this apart from a typical hijack was the preparation. The attackers staged everything 18 hours in advance, built separate payloads for Windows, macOS, and Linux, and made the malware delete itself after running. It wiped the dropper, swapped in a clean-looking package.json, and left almost no trace on disk.

100M+

Weekly downloads

affected package

1.1s

RAT deploy time

after npm install

39 min

Both branches hit

v0 and v1

6 min

First detection

Socket.dev

How It Unfolded: The Attack Timeline

Mar 30, 05:57 UTC

Decoy package published

A clean axios-mock package goes up on npm, establishing a paper trail to make the account look active and legitimate before the attack.

Mar 30, 23:59 UTC

Malicious payload staged

The real dropper is published, XOR-obfuscated with the key OrDeR_7077, ready to be pulled in as a dependency when the attack fires.

Mar 31, 00:21 UTC

axios@1.8.4 released with backdoor

Using the stolen maintainer token, a new official axios release is pushed. One extra line slips into package.json: "plain-crypto-js": "^4.2.1". That package is never actually imported anywhere in the real axios code.

Mar 31, 01:00 UTC

axios@0.30.0 also compromised

Thirty-nine minutes later the legacy 0.x branch gets the same treatment, catching millions of projects that were still on older versions.

Mar 31, 00:27 UTC

Socket.dev flags it six minutes later

Automated behavioral analysis catches the phantom dependency. GitHub issues and community reports start rolling in quickly.

The Full Attack Chain

01Account taken over with stolen npm token

02Phantom dependency added to package.json

03npm runs postinstall hook automatically

04SILKBELL dropper fires, detects the OS

05WAVESHAPER.V2 RAT pulls down in 1.1 seconds

06Dropper deletes itself, swaps in clean package.json

"This was not opportunistic. The malicious dependency was staged 18 hours in advance. Three separate payloads were pre-built for three operating systems. Both release branches were hit within 39 minutes. Every trace was designed to self-destruct."
Security researcher quoted by The Hacker News

Step-by-Step: How to Check if You Were Affected

The first thing to do is find out whether you were running one of the compromised versions and whether the dropper ever had a chance to run.

Compromised versions

axios@1.8.4axios@0.30.0

Safe versions

axios@1.8.3axios@0.30.3

# Check what version your project is using
npm list axios

# Check globally installed packages too
npm list -g axios

# Scan your whole machine for any axios installs (Mac/Linux)
find / -path "*/node_modules/axios/package.json" 2>/dev/null | while read f; do
  version=$(grep '"version"' "$f" | head -1)
  echo "$f -> $version"
done

# The most important check: search lockfile history for the phantom dependency
git log -p -- package-lock.json | grep "plain-crypto-js"
# If this returns anything at all, keep reading carefully

Real axios has exactly three dependencies: follow-redirects, form-data, and proxy-from-env. If you see plain-crypto-js anywhere in your lockfile history, that is not ambiguous. That is tampering.

Stop before you delete anything. If the git command returned a result, do not just nuke the file and move on. The dropper ran the moment npm install executed. Even though it cleaned itself up, it had 1.1 seconds to phone home and drop a persistent RAT. Treat the machine as compromised and follow the steps below.

How to Fix It: Remediation Steps

Block the C2 domains at your firewall first. Do this before anything else. Block sfrclak.com and 142.11.206.73:8000. As long as those are reachable, any already-infected machine is still under attacker control.
Downgrade axios right now. Run npm install axios@1.8.3 or npm install axios@0.30.3 for legacy projects. Commit the updated lockfile.
Get plain-crypto-js out of there. Remove it from node_modules and make sure it is gone from your lockfile.
Found RAT artifacts? Treat the machine as fully owned. Rotate everything: npm tokens, SSH keys, API keys, database passwords, cloud credentials. All of it.
Check what got committed while it had access. Look for unexpected changes to pipeline configs, CI secrets, or any new tokens issued during the window.

RAT file locations to check:

macOS: /Library/Caches/com.apple.act.mond
Linux: /tmp/ld.py
Windows: %PROGRAMDATA%\wt.exe

Do not delete them yet. Preserve the files for forensics, disconnect the machine, pull every credential that was ever on it, and rebuild from a clean image.

How to Harden npm So This Cannot Happen Again

Pin exact versions in .npmrc

That ^ caret in "axios": "^1.8.0" is what let npm silently upgrade to the compromised build. Add save-exact=true to your .npmrc and you will always install exactly what you asked for.

Turn off postinstall scripts

The whole attack ran through a postinstall hook. One line stops it cold: ignore-scripts=true in your .npmrc. If a package needs scripts to work, you decide whether to trust it first.

Set a package age floor

npm config set min-release-age 3 tells npm to refuse any package published less than 3 days ago. The poisoned axios versions existed for hours, not days. That one setting would have blocked this attack entirely.

Consider pnpm or bun

Neither runs lifecycle scripts by default. This attack would not have worked at all on a pnpm or bun project. Worth considering for new projects.

# Drop these into your .npmrc and commit it
save-exact=true
ignore-scripts=true
min-release-age=3

# In CI, always use npm ci instead of npm install
npm ci   # Installs exactly what is in the lockfile, no surprises

# Add these defaults to your base Docker image too
RUN echo "ignore-scripts=true" >> /root/.npmrc && \
    echo "min-release-age=3"   >> /root/.npmrc && \
    echo "save-exact=true"     >> /root/.npmrc

One command would have stopped this attack completely: npm config set min-release-age 3. The poisoned packages were live for hours, not days. A 3-day age floor would have prevented every machine from ever pulling them down. Run it now.

Indicators of Compromise (IOCs)

Use these to search your logs, firewall records, and endpoint detection tools for signs of infection.

Type	Value
C2 Domain	`sfrclak.com`
C2 IP Address	`142.11.206.73`
C2 Port / Path	`:8000/6202033`
XOR Obfuscation Key	`OrDeR_7077`
Phantom Package	`plain-crypto-js@4.x`
macOS RAT Path	`/Library/Caches/com.apple.act.mond`
Linux RAT Path	`/tmp/ld.py`
Windows RAT Path	`%PROGRAMDATA%\wt.exe`
axios@1.8.4 SHA-1	`2553649f2322049666871cea80a5d0d6adc700ca`
axios@0.30.0 SHA-1	`d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71`

What This Means for Your Business

This is not a vulnerability in the traditional sense where you patch a library and move on. The axios package itself was fine. The maintainer's account was the weak point, and through that single credential attackers reached every developer and CI system that ran npm install during a six-hour window. With 100 million downloads per week, the potential blast radius was enormous.

Huntress confirmed over 100 compromised hosts in the first 24 hours alone. Because the malware deletes itself, the real number is almost certainly higher. Google's Threat Intelligence Group attributes this to UNC1069, a North Korea-linked group that is primarily after money, which means stolen credentials and intellectual property are the most likely targets.

The forensic clock is ticking. Because the malware cleans up after itself, teams that did not catch this in real time may not be able to confirm or rule out compromise through a standard disk scan. If your engineers ran the affected versions and you have not started a forensic review, start one today.

Stolen credentials

WAVESHAPER.V2 gives attackers full remote access, script execution, and process injection. Any secret accessible to an infected process should be considered compromised.

It spreads through dependencies

Two other packages, @shadanai/openclaw and @qqbrowser/openclaw-qbot, were also distributing the same malware. Your transitive dependency tree is part of your attack surface.

Hard to detect after the fact

The self-destruct behavior makes it very difficult to know whether a machine was hit if you did not catch it live. Standard malware scans won't find what isn't there anymore.

Frequently Asked Questions

Is axios safe to use now?

Yes. The compromised versions have been removed from npm. As long as you are on axios@1.8.3 or axios@0.30.3, you are safe.

What is the WAVESHAPER.V2 RAT?

WAVESHAPER.V2 is a remote access trojan deployed by the attackers after the SILKBELL dropper runs. It supports full remote code execution, file access, OS command execution, process injection, and two-way encrypted communication with the C2 server at sfrclak.com. It was built separately for Windows, macOS, and Linux.

Would using npm ci have prevented this?

Not on its own, because npm ci still runs postinstall hooks. However, it installs from the lockfile exactly, so if your lockfile was committed before the poisoned versions were published, it would have protected you. The combination of npm ci plus ignore-scripts=true would have fully blocked the attack.

How did Socket.dev catch this in 6 minutes?

Socket.dev uses behavioral analysis on package publish events rather than waiting for CVE reports. It looks at what code a package actually does: does it make outbound network connections? Does it modify system files? Does it obfuscate itself? Those signals fired immediately when plain-crypto-js hit npm. This is why behavioral supply chain monitoring is more effective than CVE-based scanning for this class of attack.

"The real axios has only three dependencies. The addition of plain-crypto-js is unambiguous tampering. When npm processes this vendored axios, it installs plain-crypto-js and triggers the same malicious postinstall chain."
Socket.dev Security Research

About Voiceyfy

We build secure, AI-powered voice agents for service businesses

Security is something we think about deeply, both in the software we ship and in what we recommend to the businesses we work with. Voiceyfy helps service businesses answer every call, book every appointment, and grow without adding headcount.

See How Voiceyfy Works Our Security Practices

Sources

NetworkChuck · theNetworkChuck/axios-attack-guide on GitHub · Google Threat Intelligence Group (GTIG) · Socket.dev Security Research · Huntress Labs · StepSecurity · Unit 42 by Palo Alto Networks · The Hacker News · Cyber Security Agency of Singapore

The Axios npm Attack: How 100 Million Downloads Became a Backdoor