Sharat Satyanarayana

🚨💣STARTUP INDIA, buckle up for Saturday truth bombs. I’m going to say a few things that Indian founders usually won’t say out loud. Over the last 2 odd years I’ve been on the ground in India, working very closely with founders from idea stage all the way to Series A/B, and also spending a fair bit of time with funds across the spectrum. I sit in a slightly unusual position in this ecosystem — I’m not a full-time VC, I’m not a founder either. I’ve spent most of my time as an operator, globally, and as someone who enables networks across founders, funds, and companies. Which basically means I get to see both sides of the table more than most people do. And more importantly, a lot of founders tell me a lot of things they will never say publicly, because they are scared of VCs, they are worried about access to capital, or they don’t want to burn bridges. I usually try to pass that feedback back to funds in a constructive way, protecting founders where needed. But I think some of this needs to be said openly, especially for early founders who are just entering the system. So here goes: “We invest at paper napkin stage” is one of the most overused lines in this ecosystem. It sounds great, and I’m sure there are a few genuine cases, but in reality most decisions are still supported by proxies — early signals, pedigree, prior affiliations, how you present, and yes, a surprising amount of Excel-based thinking even at stages where that shouldn’t be the primary lens. You’ll be told it’s about conviction, but you’ll still be pushed into projections, assumptions, and frameworks that try to reduce uncertainty as quickly as possible. I want founders to know that most VCs are structurally designed to say no, that’s NOT the issue. The issue is how that “no” is often delivered — a lot of founders walk away without any real understanding of what didn’t work, because the answer is usually something superfluous like “not enough signal” or “doesn’t fit our thesis”, which in many cases is just uncertainty dressed up as a decision. Very few people will actually tell you where they think your business could break. Risk aversion in India is very real, it’s just not called that. It shows up in more polite forms — like where you studied, where you’ve worked, how you speak, how you present yourself in a room. Founders from non-traditional paths or Tier 2/3 India feel this immediately, even if nobody explicitly says it. There is also a lot more FOMO in early-stage investing than people would like to admit. You’ll see funds move quickly when others are already in, you’ll see pressure to get onto cap tables, and sometimes the urgency has less to do with your company and more to do with how the fund wants to position itself or deploy capital. And this is important — a lot of Indian VCs are not forming independent conviction as often as you would hope. They are watching what’s happening in the US and then mapping that back here. You can literally see waves move — SaaS, edtech, now AI, now “deep tech”, now defense, now robotics — and the same funds will move across these categories over time. There are exceptions, for example imho fintech investing in India did carve out its own path, and quick commerce to some extent as well, but a lot of the rest follows a pattern of observing what’s working elsewhere and then adapting it locally. The operator gap is something founders need to pay a lot more attention to. If someone is investing in enterprise SaaS, it’s worth asking whether they’ve ever actually sold enterprise software themselves?? If they’re investing in AI, have they built anything meaningful or are they just experimenting at a surface level?? If they’re investing in hardware or robotics, have they seen a deployment go wrong in the real world?? A lot of the time, founders end up spending a significant portion of the conversation explaining their space to the very people evaluating them. There’s also a very real gap internally within funds that founders don’t see — what partners say at a high level and what analysts evaluate on are not always aligned, which means you can walk out of one conversation feeling strong alignment and then find yourself re-explaining everything in the next. It creates confusion, and most founders just absorb that friction silently. And please, don’t get overly swayed by the “we’ll take you to Silicon Valley” narrative. This one needs to be said clearly. You don’t need to be necessarily be in San Francisco, you need to be where your customer is. Period. I’ve seen too many founders get excited about Bay Area trips, demo days, and immersion programs, and come back with no real customer insight, no distribution, and no meaningful progress. You are not building a company by attending events and walking around SF. If your customers are in India, stay here and go deeper. If they’re in Southeast Asia, go there. If they’re in the US, figure out where exactly, not just Silicon Valley, it could be the MidWest or Miami. Get the VC to take you there. Geography should follow customers, not self serving VC narratives. On capital, especially for early-stage founders, it’s worth rethinking how much you actually need. In software, the cost of getting something off the ground has dropped significantly — as @mcuban pointed out recently on @tbpn , it’s never been easier to build software: ship, test, and start charging. Your first validation can come from customers, not investors. Dilution is not something you need to rush into if you don’t have to. Hardware is a different game, of course, capital matters there, but even in hardware I’m seeing founders find alternative paths — working with China, using labs, building in smaller batches, and being more capital efficient than before. One thing I’ll tell early founders very clearly — don’t get overly impressed by funds that say they’ve done 100+ investments. In many cases, more smaller yet intentional portfolios lead to better attention and support. If a fund is spread too thin, you need to ask yourself how much time they realistically have for you once the cheque is written. And please, do diligence on your VCs the same way they do on you: Talk to founders they’ve backed, not just the ones they showcase. Ask what actually happened AFTER the investment — did they help you get customers? did they show up when things got difficult? or was it mostly intros, programs, and surface-level engagement. At the end of the day, VCs are one input. Your customer is the only real signal that matters. There are good investors in India, I’ve worked with some and continue to do so. But founders need to go in with their eyes open and separate X/LinkedIn narrative from reality. If you’ve been through this, you already know exactly what I’m talking about.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

Source: issuu.com/krishnagames/d…