Australian firms urged to secure code after rising repo attacks

Avocado Consulting has called on Australian organisations to strengthen the security of their software supply chains following a recent high alert concerning code repository attacks, issued by the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).

The ACSC’s high alert highlights ongoing threats to online code repositories, including attacks that use social engineering, compromised credentials and authentication tokens, as well as the manipulation of software packages.

Risks in code repositories

Dennis Baltazar, Principal Cloud and DevSecOps Solutions at Avocado Consulting, emphasised the seriousness of the risks faced by organisations relying on online code repositories.

He pointed out that the techniques used by attackers have shifted significantly, making malicious activity harder to detect.

Baltazar adds, “What’s significant here, is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering living-off-the-land (LOTL) techniques – abusing legitimate tools and workflows so malicious activity looks like business as usual, says Dennis Baltazar. Attackers don’t need bespoke malware when pipelines are already paved for them.”

One of the critical vulnerabilities identified by Baltazar is the spread of sensitive information such as passwords, keys, and tokens across multiple systems, commonly known as ‘secrets sprawl’.

He says, “The biggest blind spot we see isn’t a zero-day, it’s secrets sprawl. Keys and tokens in code or CI/CD logs turn a minor repo slip into organisation-wide compromise.”

Baltazar recommends that organisations undertake immediate audits to identify and address unmanaged privileged accounts and non-human identities, reducing potential paths for attackers to move within an organisation’s systems.

Improving developer security practices

Avocado Consulting further stressed that optimal secrets management requires making secure practices seamless for developers. The focus, Baltazar suggested, should be on integrating protections into development workflows, rather than relying solely on manual procedures or post-development checks.

“When Development and Security work from the same pipeline, security stops being a gate and becomes an accelerator. Give engineers guardrails short-lived credentials, policy-as-code, and default secret detection and you reduce incidents while increasing velocity,” says Baltazar.

Avocado’s recommendations in response to the ACSC alert include eliminating secrets from code and pipelines, making secret detection and push-protection default, rotating tokens frequently, and enforcing the use of short-lived and narrowly scoped credentials. They also advise organisations to validate every software dependency by default through mechanisms such as version pinning, integrity hashes, and checking provenance to prevent the introduction of vulnerabilities from external code.

Another practice advocated by Avocado is to monitor the software development lifecycle in a manner similar to production environments, baselining expected developer and CI/CD activity to detect and respond to abnormal activity indicative of ‘living-off-the-land’ tactics as early as possible.

Questions for leaders

Baltazar has suggested that organisational leaders use targeted questions to assess their exposure and readiness regarding code and credential management:

“Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations – and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?”

Baltazar also highlighted the broader risks associated with inadequate code repository security.

“Your code is more than just code – it’s your identity, your infrastructure, your business it accesses your critical data. Organisations should treat it like any other valuable asset by ensuring it is protected from vulnerabilities.”

He outlined the possible negative outcomes if proper actions are not taken, including compromise of cryptographic keys and passwords, unauthorised access to cloud infrastructure, identity theft, privilege escalation, and large-scale reputational and operational harm.

“The risks of not taking action are exposure of cryptographic keys and passwords; cloud-infrastructure compromise; identity theft and privilege escalation; and long-term reputational and operational damage. Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident.”

Recommended actions

In practical terms, Avocado Consulting advises organisations to audit their secrets and privileged accounts across repositories, CI/CD systems, cloud environments and SaaS platforms, revoking stale credentials and ensuring access is appropriately managed. They also recommend comprehensive reviews of code repositories and conducting workload identity and secrets analysis in line with recognised risks frameworks, such as those published by OWASP.

By embedding developer-friendly controls such as push protection, automated secret scanning at each stage of code integration, and the use of short-lived credentials, Avocado Consulting states that organisations can make secure practices the default within their software supply chain processes.