Last week, something alarming happened in the world of software — and almost nobody outside the tech industry noticed.

A widely-used software library called LiteLLM, downloaded over 95 million times every month, was quietly compromised by hackers. For roughly 40 minutes, anyone who installed it unknowingly invited malicious code into their systems code designed to steal passwords, cloud credentials, and secret keys. The attackers did not break through a firewall or crack a password. They poisoned a software ingredient that thousands of companies trusted blindly.

This is not a story about a single hack. It is a story about a hidden crisis that affects every person who uses a smartphone, books a flight, transfers money, or visits a doctor. The software that powers your daily life is built from thousands of invisible building blocks and securing those building blocks is one of the most important challenges of our time.

Software is made of ingredients, not written from scratch

When most people think about software, they imagine a programmer typing lines of code in a dark room. The reality is very different. Modern applications are assembled, not written. A typical application contains hundreds or even thousands of pre-built components open-source libraries created by developers all over the world and shared freely for anyone to use.

Think of it like cooking. A chef does not grow every grain of rice or mill every pinch of flour. They source ingredients from trusted suppliers and combine them into a dish. Software works the same way. The banking app on your phone, the system your hospital uses to store medical records, and the platform that processes your online orders all rely on a vast supply chain of shared ingredients.

This model of building software has been extraordinarily successful. It allows companies to move fast and innovate. But it has also created a massive security challenge: if even one ingredient is contaminated, everything built with it is at risk.

A new kind of threat: Supply chain attacks

In the traditional view of cybersecurity, attackers try to break into systems from the outside — guessing passwords, exploiting bugs, or tricking people into clicking malicious links. Supply chain attacks are fundamentally different. Instead of attacking the front door, the attacker poisons the food supply.

The strategy is devastatingly effective. Why spend weeks trying to hack one company when you can compromise a single software component that thousands of companies already trust? When the SolarWinds attack was discovered in 2020, it revealed that a compromised software update had been silently installed on the networks of over 18,000 organisations, including multiple U.S. government agencies. In 2021, a vulnerability in a tiny library called Log4j sent the entire tech industry into emergency response mode, because the library was embedded in millions of applications worldwide.

The LiteLLM attack from last week follows the same playbook, but with a twist that should concern us deeply. The attackers first compromised a security scanner called Trivy, a tool that companies use to check their software for vulnerabilities. They used the compromised scanner to steal credentials, which they then used to poison LiteLLM. In other words, they turned a company’s own security tool into the weapon.

Why this problem is getting worse, not better

Three forces are converging to make supply chain security one of the defining challenges of the coming decade.

First, software is eating the world faster than ever. Every industry healthcare, banking, transportation, energy, agriculture now depends on software. India’s Unified Payments Interface (UPI), which processed over 16 billion transactions in a single month in 2025, runs on layers of software built from open-source components. Digital public infrastructure everywhere depends on code that was written by volunteers and shared for free.

Second, artificial intelligence is amplifying both the opportunity and the risk. AI coding assistants now help developers write code faster than ever. But these assistants often recommend popular libraries without evaluating whether those libraries are secure. The very tools meant to boost productivity can inadvertently guide developers toward compromised packages. It is like a cooking assistant that recommends ingredients based on popularity rather than safety.

Third, the dependency trees are growing deeper. A recent industry analysis found that the average application now contains 581 open-source vulnerabilities — a 107% increase in just one year. AI applications are especially dependency-heavy, pulling in machine learning frameworks, data processing libraries, and provider SDKs that each bring their own supply chains.

The solution: AI-powered defense at scale

Fortunately, the same technology that is amplifying the risk artificial intelligence is also powering new forms of defense.

At GitHub, where I lead the Dependabot team within the Supply Chain Security organisation, we have built what is essentially an automated immune system for the world’s open-source software. Every day, Dependabot scans millions of repositories, identifies outdated or vulnerable dependencies, and automatically creates pull requests to fix them. Think of it as having a tireless assistant that checks every ingredient in your pantry, compares it against a global database of known contaminations, and swaps in a safe replacement before you even know there was a problem.

The scale of this operation is staggering. GitHub hosts over 180 million developers, and Dependabot actively monitors over 7 million repositories across more than 20 different package ecosystems from Python and JavaScript to Java, Ruby, Go, Rust, and beyond. It opens more automated updates than any other user on GitHub. Its alerts draw from the GitHub Advisory Database, which contains over 28,000 reviewed security advisories, each vetted to reduce false positives.

The next frontier for tools like Dependabot is artificial intelligence. Across the industry, security teams are exploring how AI can prioritise the most critical vulnerabilities, reduce the alert fatigue that wastes developer time, and even suggest targeted fixes that developers can review and merge with a single click. The potential is enormous: instead of waiting for humans to discover and patch vulnerabilities a process that can take weeks or months AI-augmented systems could detect and remediate threats in hours. It is the difference between a city that relies on citizens to report fires and one that has smoke detectors in every building connected to a central response system.

Why this matters for India

India’s digital transformation story is one of the great technology success stories of the 21st century. From Aadhaar to UPI to the India Stack, the country has built world-class digital public infrastructure that serves over a billion people. But this infrastructure is built on the same global open-source supply chain that is under attack.

Indian software companies export services to the world. Indian startups build products used by millions globally. With over 20 million developers, India is the second largest and fastest-growing developer community on GitHub, having grown by over 30 per cent in the last year alone. When the global software supply chain is insecure, India is disproportionately exposed both as a producer and consumer of software.

The good news is that India is also uniquely positioned to lead in this space. The country has a massive pool of software engineering talent, a government that understands digital infrastructure, and a startup ecosystem that is increasingly focused on cybersecurity. The Indian Computer Emergency Response Team (CERT-In) has been proactive about mandating vulnerability disclosures and incident reporting. But more needs to be done.

Organisations need to adopt automated dependency management tools. Developers need to be trained in secure software development practices. And the industry needs to invest in AI-powered security systems that can keep pace with the speed and complexity of modern software development.

The bigger picture: Building trust in the digital age

We are living through a period where the trust assumptions that underpin the digital economy are being tested. When you install an app, you trust that its components are safe. When a bank processes your transaction, it trusts the software running on its servers. When a hospital looks up your records, it trusts the systems that store them.

Supply chain security is about preserving that trust. It is not a niche technical concern. It is a foundational requirement for the digital economy, for national security, and for the basic functioning of modern life.

The attacks will keep coming. They will get more sophisticated. AI will be used both to attack and to defend. The question is not whether we will face more supply chain compromises, but whether we are building the automated, intelligent defenses needed to detect and remediate them faster than attackers can act.

As someone who works on this problem every day, I am cautiously optimistic. The tools are getting better. The awareness is growing. Governments are paying attention. But the gap between what we can do and what we need to do remains wide. Closing that gap is one of the most consequential engineering challenges of our generation and it is one that affects every person who touches a screen.

END OF ARTICLE