PRESS RELEASE
Avocado Consulting urges action as ACSC issues second High Alert on code-repository targeting in five months
Avocado Consulting is again urging Australian organisations to take practical steps to harden their software supply chains, following the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) re-issuing its High Alert on the ongoing targeting of online code repositories on 1 April 2026 — the second such alert in just five months. The ACSC first issued this alert on 19 September 2025.
The alert highlights ongoing targeting of online code repositories including access gained via social engineering, compromised credentials and authentication tokens, and package tampering.
“The fact that the ACSC has felt compelled to re-issue this alert within five months is a clear signal that the threat has not abated — and that many organisations have yet to act,” says Dennis Baltazar, Principal Cloud and DevSecOps Solutions at Avocado Consulting.
“Code repositories are under active attack. What’s significant here is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering with living-off-the-land (LOTL) techniques — abusing legitimate tools and workflows so malicious activity looks like business as usual. Attackers don’t need bespoke malware when pipelines are already paved for them,” adds Baltazar.
Baltazar says that secrets sprawl — scattered secrets across multiple vaults and tools — remains a key and underappreciated risk.
“The biggest blind spot we see isn’t a zero-day, it’s secrets sprawl. Keys and tokens in code or CI/CD logs turn a minor repo slip into organisation-wide compromise,” said Dennis Baltazar.
He also advises immediate audits to identify and remediate unmanaged privileged and non-human accounts before they become pathways to lateral movement.
Avocado emphasises that effective secrets management is as much a developer-experience challenge as a security one. The goal is to make secure workflows the path of least resistance: centralise secrets, automate rotation, and build push-protection and secret scanning into commit, push and build — so teams move faster and safer without bolting security on at the end.
“When Development and Security work from the same pipeline, security stops being a gate and becomes an accelerator. Give engineers guardrails — short-lived credentials, policy-as-code, and default secret detection — and you reduce incidents while increasing velocity,” says Dennis Baltazar.
Baltazar says, “Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations — and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?” He adds that if these core questions are not understood and actioned, organisations may be at risk.
“Your code is more than just code — it’s your identity, your infrastructure, your business; it accesses your critical data. Organisations should treat it like any other valuable asset by ensuring it is protected from vulnerabilities,” says Baltazar.
“The risks of not taking action are exposure of cryptographic keys and passwords; cloud-infrastructure compromise; identity theft and privilege escalation; and long-term reputational and operational damage,” Baltazar warns.
“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident,” Baltazar added.
Baltazar recommends taking the 4 following steps. For full insights, including the first 72 hours plan and subsequent 7-day plan, read his full blog
How Avocado can help.
- Audit secrets and unmanaged privileged/non-human accounts across repositories, CI/CD, cloud and SaaS; revoke stale credentials and right-size access.
- Comprehensive review of code repositories, from intellectual property to open-source packages. Ask about Avocado’s identity scan. This scan will identify unmanaged identities including secrets, keys and tokens used in CI/CD pipelines and native cloud infrastructures.
- Workload identity and secrets analysis mapped to OWASP Top 10 risks for non-human identities.
- Pipeline hardening from build to operate, including policy-as-code and runbook updates.
- DevSecOps enablement: embed developer-friendly controls (push protection, secret scanning at commit/push/build, policy-as-code, short-lived credentials) so secure practice is the default, not an afterthought.
Media contact
Amy Kitson: [email protected] | 0455 515 060
About Avocado Consulting
Avocado Consulting helps organisations deliver with certainty across cloud, security, testing and DevSecOps – uplifting teams and hardening platforms with practical, outcome-focused services.
Read the related media:
High alert! ACSC warns of hackers targeting online code repositories – cyberdaily
Avocado warns on code repository supply chain attacks – Security Brief
eCommerceNews Australia – Technology news for digital commerce decision-makers
https://ecommercenews.com.au/story/avocado-warns-on-code-repository-supply-chain-attacks
IT Brief Australia – Technology news for CIOs & IT decision-makers
https://itbrief.com.au/story/avocado-warns-on-code-repository-supply-chain-attacks
SecurityBrief Australia – Technology news for CISOs & cybersecurity decision-makers
https://securitybrief.com.au/story/avocado-warns-on-code-repository-supply-chain-attacks
Also appearing on
The Ultimate Guide to Application Security
https://techday.com.au/tag/application-security
The Ultimate Guide to Cloud Security
https://techday.com.au/tag/cloud-security
The Ultimate Guide to Cybersecurity
https://techday.com.au/tag/cybersecurity
The Ultimate Guide to DevSecOps
https://techday.com.au/tag/devsecops
The Ultimate Guide to Identity and Access Management (IAM)
https://techday.com.au/tag/identity-and-access-management
The Ultimate Guide to Open source
https://techday.com.au/tag/open-source
The Ultimate Guide to Phishing
https://techday.com.au/tag/phishing
The Ultimate Guide to Software Development
https://techday.com.au/tag/software-development
The Ultimate Guide to Supply Chain
https://techday.com.au/tag/supply-chain
The Ultimate Guide to Zero Trust Security
https://techday.com.au/tag/zero-trust-security
ASD alerts about targeting of online code repositories, Jason Pollock, tyechpartner.news
Avocado warns on code repository supply chain attacks, Mark Tarre, TechDay
