Himanshu Gupta

This is an unbelievable piece of work by Sarthak and something that requires amplification. Let me explain what he found, in simple terms. Sarthak is a Class 12 student from the 2025-26 batch, one of the 17 lakh students whose answer sheets went through CBSE's new On-Screen Marking system. He spent days reading through CBSE's evaluation tenders, scraped all 576 tenders CBSE has issued, and tracked how the rules changed across three versions of the same tender. The core finding is that the company that won the contract to scan and grade 17 lakh students' answer sheets is Coempt Eduteck. Coempt used to be called Globarena Technologies. Globarena was the company behind the 2019 Telangana intermediate exam disaster, where software failures led to 3.8 lakh students getting wrong or missing marks, and 23 students died by suicide. A government committee found systemic failure and negligence. Six months later, Globarena rebranded to Coempt Eduteck. So a company with that track record won a contract to handle 17 lakh CBSE students. Sarthak's investigation is about how the rules were rewritten to let that happen. The tender was issued three times. > First tender, February 2025. It existed, then disappeared from the public GeM portal. Sarthak scraped all 576 CBSE tenders and this one was missing from the archive entirely. > Second tender, May 2025. Four companies applied including TCS and Coempt. All four failed the technical evaluation. Cancelled. > Third tender, August 2025. Coempt won. Between the second and third tender, a series of rule changes happened, and every single one made it easier for Coempt to qualify. Here is what changed, one by one. 01. The old rules disqualified any company with a history of abandoning work, failing to complete contracts, or financial weakness. The new rules deleted this clause entirely. Coempt's Telangana history stopped being a barrier. 02. The old rules disqualified any company that was "blacklisted earlier." The new rules changed this to "currently blacklisted." Because Globarena rebranded after Telangana, removing the word "earlier" effectively erased their past. 03. The rules required Rs 50 crore average turnover over three years. Coempt's exact average came to Rs 50.86 crore. They cleared the bar by less than 1%. Earlier, a smaller company had asked CBSE to lower the bar to Rs 30 crore for fairer competition. CBSE refused. So the bar was kept high enough to block small players, but sat exactly low enough for Coempt to scrape through. 04. Software maturity is measured on the CMMI scale, 1 to 5. The old rules required Level 5. The new rules dropped it to Level 3. Coempt is a Level 3 company. 05. The cooling-off period for engaging retired CBSE officials was cut from two years to one. This makes it easier to use recently retired insiders to influence the process. 06. The old rules required experience with large projects of at least 5 lakh students each. The new rules removed the student count and counted cumulative answer-book volume across small projects instead. Coempt has many small fragmented university contracts. This helped Coempt and hurt TCS. 07. The old rules required bidders to own their own data centre and disaster recovery centre on Indian soil. The new rules allowed third-party MeitY-empanelled cloud hosting. Coempt runs on AWS and Azure. This helped Coempt and hurt TCS, which owns its own data centres. It also means student data is no longer on sovereign, Indian infrastructure. 08. The old rules required the bidder to own or control the complete source code of its software. The new rules deleted this. Coempt's platform runs on Microsoft's proprietary IIS, which they don't own. 09. A last-minute corrigendum, issued right before bid submission, removed CBSE's own power to blacklist the firm if its software failed catastrophically. So even a Telangana-scale failure couldn't get Coempt banned from future government tenders. 10. The penalty structure shifted from punishing mistakes to punishing delays. The old rules fined the vendor for wrong scanning, merged pages, and unscanned books. The new rules dropped those and instead levied Rs 50,000 per day for delays. This incentivises rushed scanning over accurate scanning. 11. The old rules had a hard accuracy threshold, error rate not to exceed 0.5%. The new rules removed this number entirely. 12. The old rules specified proper book and robotics scanners. The new rules just say "sufficient scanners." The definition was vague enough that, as Sarthak notes, the scanning could be done with a phone on a stand. 13. On the security side, the contract required a VAPT (vulnerability and penetration test) certified by CERT-In before go-live, and a restricted beta phase before launch. The system clearly wasn't restricted, because the other researcher, Nisarga, was able to access it and find vulnerabilities four days before go-live. So the mandatory security audit appears to have been bypassed. These are more than a dozen rule changes, all between the failed tender and the winning tender, all pushing in the same direction, all benefiting the one company with the worst track record in the field. The security holes Nisarga found last week now have an explanation. The system was built by a vendor that was specifically allowed to skip the security certification, the source code ownership, the data sovereignty, and the quality thresholds the original rules demanded. Following things need to happen immediately; 1. An immediate CAG audit of the tender process. 2. A parliamentary debate on the topic. 3. An independent investigation into > Why the first tender vanished? > Why the disqualification clauses were deleted? > Why the turnover bar was held exactly where it was? > Why the security level was dropped? > Why the blacklisting power was removed at the last moment? Sarthak, this is genuinely exceptional investigative work. Far better than most journalists with full resources ever manage. Take a bow. :)

“MeitY received an input from the IB to block the X account of Cockroach Janta Party, citing that it posed a threat to the sovereignty of India. "The IB believed that the account was posting inflammatory content through its account, which could have jeopardised the country’s national security.” the official said on condition of anonymity since such blocking orders are issued under a confidential framework." “In particular, the concern stemmed from the fact that the account’s content was gaining traction among young people.” https://t.co/4dKR3jZFke

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.