Seqrite, the enterprise security arm of Quick Heal Technologies, has warned that software supply chain attacks have become one of the most dangerous and least visible cyber risks facing Indian organisations in 2026. Instead of directly assaulting hardened enterprise perimeters, adversaries now increasingly infiltrate trusted partners, software vendors and service providers, inserting backdoors into seemingly legitimate updates, plugins and libraries that reach corporate networks through approved channels. This model turns an organisation’s own dependency stack—managed service providers, SaaS vendors, sector-specific software and open-source components—into a powerful attack surface that can be abused at scale.
Historical incidents such as the SolarWinds compromise, the Kaseya VSA ransomware campaign and the NotPetya tax software attack illustrated how a single poisoned update could cascade across thousands of customers simultaneously, disrupting government agencies and private enterprises globally. Seqrite stresses that these were early signals of a pattern now accelerating in India as the country’s digital economy becomes deeply intertwined with third-party platforms across BFSI, healthcare, manufacturing and education. For senior technology and risk leaders, this shift means that traditional perimeter-centric defences are no longer sufficient; the effective boundary now extends to every vendor with code or integration rights into core systems.
India Cyber Threat Report 2026 highlights accelerating exposure
Seqrite’s India Cyber Threat Report 2026, based on telemetry from more than 8 million endpoints, recorded 265.52 million detections between October 2024 and September 2025, averaging 505 detections per minute and more than 727,000 per day. Trojans and file infectors alone accounted for nearly 70% of all attacks, with 88.4 million Trojan detections and 71.1 million file infector detections, underscoring the persistence of malware designed to establish covert footholds and move laterally through networks. Education, healthcare and manufacturing together represented close to 47% of all detections, reflecting both the sensitivity of their data and the extensive use of specialised third-party applications in these sectors.
Ransomware groups such as KillSec and Babuk2 emerged among the most aggressive operators targeting Indian organisations, frequently exploiting weak vendor controls and misconfigured remote access to enter environments indirectly. These campaigns increasingly align with global observations that attackers prefer leveraging supply chain paths and managed service providers, as a single compromise can provide simultaneous access to multiple downstream customers without triggering conventional intrusion alerts. For Indian enterprises, particularly in BFSI and healthcare, this dynamic significantly raises the stakes of vendor risk management, as a breach originating in a seemingly peripheral provider can rapidly become a sector-level crisis.
From point-in-time checks to continuous vendor assurance
Seqrite’s advisory emphasises that defending against supply chain attacks requires a shift from one-off vendor due diligence to continuous verification, visibility and response readiness across the entire digital ecosystem. Organisations are urged to rigorously assess vendor security policies, update mechanisms and incident response capabilities, treating software providers and integrators as extensions of their own security perimeter rather than purely commercial partners. Access for third parties should be limited to the minimum necessary for operations, with just-in-time permissions, hardened authentication and immediate revocation when contracts end or roles change.
Operationally, this translates into monitoring software updates for anomalies, tracking unusual application behaviour, enforcing multi-factor authentication on all internal and external connections and maintaining clear inventories of dependencies and integrations. For boards and audit committees, the message is that supply chain risk is now a strategic exposure; oversight must extend to whether the organisation can detect tampered updates quickly, isolate affected systems and coordinate with vendors during joint incident response.
Data protection, DPDP compliance and Seqrite’s positioning
In the event of a supply chain breach, personally identifiable information, financial records, employee data and customer profiles are often among the first assets exposed, given their presence across shared platforms and multi-tenant systems. Seqrite argues that privacy-centric controls—automated discovery, classification, consent tracking, access management and breach readiness—are no longer optional add-ons but integral to cyber resilience, particularly under India’s Digital Personal Data Protection Act, 2023. The DPDP framework introduces penalties of up to ₹250 crore per breach where data fiduciaries fail to implement reasonable security safeguards, effectively elevating data protection failures into board-level financial risks.
Seqrite positions its enterprise products, including Seqrite Data Privacy, as compliant with DPDP provisions and tailored for hybrid environments where data spans on-premises systems, cloud workloads and third-party platforms. For Indian enterprises, this alignment offers a path to unify technical controls for threat detection with regulatory obligations for personal data governance, reducing the likelihood that a vendor-led compromise triggers both operational disruption and punitive sanctions. As supply chain attacks solidify into a defining stealth threat of 2026, technology and risk leaders will need to treat vendor ecosystems as integral components of their security architecture and invest accordingly.
