Chirag Pandey

This is an unbelievable piece of work by Sarthak and something that requires amplification. Let me explain what he found, in simple terms. Sarthak is a Class 12 student from the 2025-26 batch, one of the 17 lakh students whose answer sheets went through CBSE's new On-Screen Marking system. He spent days reading through CBSE's evaluation tenders, scraped all 576 tenders CBSE has issued, and tracked how the rules changed across three versions of the same tender. The core finding is that the company that won the contract to scan and grade 17 lakh students' answer sheets is Coempt Eduteck. Coempt used to be called Globarena Technologies. Globarena was the company behind the 2019 Telangana intermediate exam disaster, where software failures led to 3.8 lakh students getting wrong or missing marks, and 23 students died by suicide. A government committee found systemic failure and negligence. Six months later, Globarena rebranded to Coempt Eduteck. So a company with that track record won a contract to handle 17 lakh CBSE students. Sarthak's investigation is about how the rules were rewritten to let that happen. The tender was issued three times. > First tender, February 2025. It existed, then disappeared from the public GeM portal. Sarthak scraped all 576 CBSE tenders and this one was missing from the archive entirely. > Second tender, May 2025. Four companies applied including TCS and Coempt. All four failed the technical evaluation. Cancelled. > Third tender, August 2025. Coempt won. Between the second and third tender, a series of rule changes happened, and every single one made it easier for Coempt to qualify. Here is what changed, one by one. 01. The old rules disqualified any company with a history of abandoning work, failing to complete contracts, or financial weakness. The new rules deleted this clause entirely. Coempt's Telangana history stopped being a barrier. 02. The old rules disqualified any company that was "blacklisted earlier." The new rules changed this to "currently blacklisted." Because Globarena rebranded after Telangana, removing the word "earlier" effectively erased their past. 03. The rules required Rs 50 crore average turnover over three years. Coempt's exact average came to Rs 50.86 crore. They cleared the bar by less than 1%. Earlier, a smaller company had asked CBSE to lower the bar to Rs 30 crore for fairer competition. CBSE refused. So the bar was kept high enough to block small players, but sat exactly low enough for Coempt to scrape through. 04. Software maturity is measured on the CMMI scale, 1 to 5. The old rules required Level 5. The new rules dropped it to Level 3. Coempt is a Level 3 company. 05. The cooling-off period for engaging retired CBSE officials was cut from two years to one. This makes it easier to use recently retired insiders to influence the process. 06. The old rules required experience with large projects of at least 5 lakh students each. The new rules removed the student count and counted cumulative answer-book volume across small projects instead. Coempt has many small fragmented university contracts. This helped Coempt and hurt TCS. 07. The old rules required bidders to own their own data centre and disaster recovery centre on Indian soil. The new rules allowed third-party MeitY-empanelled cloud hosting. Coempt runs on AWS and Azure. This helped Coempt and hurt TCS, which owns its own data centres. It also means student data is no longer on sovereign, Indian infrastructure. 08. The old rules required the bidder to own or control the complete source code of its software. The new rules deleted this. Coempt's platform runs on Microsoft's proprietary IIS, which they don't own. 09. A last-minute corrigendum, issued right before bid submission, removed CBSE's own power to blacklist the firm if its software failed catastrophically. So even a Telangana-scale failure couldn't get Coempt banned from future government tenders. 10. The penalty structure shifted from punishing mistakes to punishing delays. The old rules fined the vendor for wrong scanning, merged pages, and unscanned books. The new rules dropped those and instead levied Rs 50,000 per day for delays. This incentivises rushed scanning over accurate scanning. 11. The old rules had a hard accuracy threshold, error rate not to exceed 0.5%. The new rules removed this number entirely. 12. The old rules specified proper book and robotics scanners. The new rules just say "sufficient scanners." The definition was vague enough that, as Sarthak notes, the scanning could be done with a phone on a stand. 13. On the security side, the contract required a VAPT (vulnerability and penetration test) certified by CERT-In before go-live, and a restricted beta phase before launch. The system clearly wasn't restricted, because the other researcher, Nisarga, was able to access it and find vulnerabilities four days before go-live. So the mandatory security audit appears to have been bypassed. These are more than a dozen rule changes, all between the failed tender and the winning tender, all pushing in the same direction, all benefiting the one company with the worst track record in the field. The security holes Nisarga found last week now have an explanation. The system was built by a vendor that was specifically allowed to skip the security certification, the source code ownership, the data sovereignty, and the quality thresholds the original rules demanded. Following things need to happen immediately; 1. An immediate CAG audit of the tender process. 2. A parliamentary debate on the topic. 3. An independent investigation into > Why the first tender vanished? > Why the disqualification clauses were deleted? > Why the turnover bar was held exactly where it was? > Why the security level was dropped? > Why the blacklisting power was removed at the last moment? Sarthak, this is genuinely exceptional investigative work. Far better than most journalists with full resources ever manage. Take a bow. :)

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

Someone just poisoned the Python package that manages AI API keys for NASA, Netflix, Stripe, and NVIDIA.. 97 million downloads a month.. and a simple pip install was enough to steal everything on your machine. The attacker picked the one package whose entire job is holding every AI credential in the organization in one place. OpenAI keys, Anthropic keys, Google keys, Amazon keys… all routed through one proxy. All compromised at once. The poisoned version was published straight to PyPI.. no code on GitHub.. no release tag.. no review. Just a file that Python runs automatically on startup. You didn’t need to import it. You didn’t need to call it. The malware fired the second the package existed on your machine. The attacker vibe coded it… the malware was so sloppy it crashed computers.. used so much RAM a developer noticed their machine dying and investigated. They found LiteLLM had been pulled in through a Cursor MCP plugin they didn’t even know they had. That crash is the only reason thousands of companies aren’t fully exfiltrated right now. If the code had been cleaner nobody notices for weeks. Maybe months. The attack chain is the part that gets worse every sentence. TeamPCP compromised Trivy first. A security scanning tool. On March 19. LiteLLM used Trivy in its own CI pipeline… so the credentials stolen from the SECURITY product were used to hijack the AI product that holds all your other credentials. Then they hit GitHub Actions. Then Docker Hub. Then npm. Then Open VSX. Five package ecosystems in two weeks. Each breach giving them the credentials to unlock the next one. The payload was three stages.. harvest every SSH key, cloud token, Kubernetes secret, crypto wallet, and .env file on the machine.. deploy privileged containers across every node in the cluster.. install a persistent backdoor waiting for new instructions. TeamPCP posted on Telegram after: “Many of your favourite security tools and open-source projects will be targeted in the months to come.. stay tuned.” Every AI agent, copilot, and internal tool your company shipped this year runs on hundreds of packages exactly like this one… nobody chose to install LiteLLM on that developer’s machine. It came in as a dependency of a dependency of a plugin. One compromised maintainer account turned the entire trust chain into a credential harvesting operation across thousands of production environments in hours. The companies deploying AI the fastest right now have the least visibility into what’s underneath it.