Your code repository just became your hottest attack surface. Here’s how to cool it down.
Secure code repositories – ACSC high alert
Code repositories are under attack. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued a High Alert on the ongoing targeting of online code repositories.
Using a mix of techniques, threat actors are exploiting stolen credentials, phishing and infected packages to infiltrate developer environments – then scanning for secrets, leaking credentials, and modifying packages to launch supply-chain attacks. These are often via legitimate tools rather than bespoke malware helping threat actors pivot through software supply chains, unnoticed.
If your software development lifecycle (SDLC) and build pipelines aren’t instrumented for this reality, you’re flying blind.
In this article, Dennis Baltazar, Cloud and DevSecOps Consultant, Avocado Consulting unpacks the alert and provides guidance on how organisations should respond.
The new normal: “living off the land” in developer space
What’s changed is not just attacker capability but attacker tradecraft. Today’s tradecraft blends into everyday developer and administrator behaviour – native tools, package managers and continuous integration/continuous delivery (CI/CD) workflows.
Anomalies are easy to miss unless you deliberately log and analyse developer, cloud, and pipeline activity across the end-to-end build and release cycle (with platforms such as Dynatrace). Code-runtime security observability then helps you identify and monitor vulnerabilities in applications – covering third-party libraries, runtimes, and leaked secrets – across both production and pre-production and can automatically prevent and block threats in real time.
“This wave of repository targeting blends social engineering with living-off-the-land tradecraft – attackers don’t need bespoke malware when our pipelines are already paved for them.”
The amplifier: secrets sprawl
Most organisations don’t fall to exotic exploits; they fall to secrets sprawl – keys and tokens left in source code, configuration files or CI logs. One leaked long-lived token can turn a minor repository slip into organisation-wide exposure.
More troubling, 70% of secrets leaked in 2022 remain active today, dramatically expanding the attack surface for threat actors.
The ACSC’s guidance is clear: treat keys and secrets as crown-jewel assets, manage them across their lifecycle, and remove them from code and pipelines entirely.
“The biggest enterprise blind spot isn’t a zero-day – it’s secrets sprawl. Keys and tokens in code or CI logs turn a minor repo slip into organisation-wide compromise.”
Where organisations stumble
- Hard-coded credentials.
- Long-lived CI/CD tokens.
- Permissive dependency policies and weak package hygiene.
- Gaps across public and private repositories that open paths into cloud environments.
Together, these escalate a single repository issue into a supply-chain and cloud compromise.
How should organisations respond?
Do now (0–72 hours)
- Investigate and contain: Audit your code repositories. Review recent package installs, CI jobs, workflow changes and repo permissions; quarantine suspicious packages.
- Rotate and remove secrets: run an org-wide secret scan; revoke/rotate exposed tokens and keys; strip plaintext credentials from code and CI/CD; enforce short-lived, scoped credentials.
- Validate dependencies: pin versions and integrity hashes; verify provenance; block unverified sources.
- Detect LOTL behaviour: centralise logs and alert on anomalous use of native tools, package managers, unusual token use or unexpected repo migrations. See global guidance for identifying and mitigating LOTL techniques.
- Brief the team: targeted comms on phishing/vishing and social engineering aimed at maintainers.
Next 7 days
- Eradicate secrets from code and pipelines (make push-protection and secret detection default; manage exceptions via policy-as-code).
- Bake dependency assurance into CI/CD (hash/versions pinned, provenance checks enforced in the pipeline – not left to developer preference).
- Baseline the SDLC like production (define “normal” dev/admin/CI behaviour; alert on deviations; add runbooks).
- Define metrics (time-to-rotate, % repos with zero hard-coded secrets, dependency integrity coverage, MTTD for anomalous CI activity).
- Empower your developers with secure tooling
- Governance (publish/update policies, standardise build templates, align procurement/architecture/operations to the same controls).
- Partner with Avocado to build a resilient security posture.
Why supply-chain vigilance matters
Software supply-chain risk amplifies impact: a single tampered dependency can cascade across multiple services and environments. The defensive pattern is stable even as attacker techniques evolve – enforce dependency integrity (version and hash pinning), verify provenance before updates, and use behavioural detection in CI/CD to spot abnormal package and build activity early.
Measure it like operations
Track time-to-rotate credentials, percentage of repositories with zero hard-coded secrets, dependency integrity coverage, and mean-time-to-detect anomalous CI/CD activity. These metrics give leaders a defensible view of progress.
“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident.”
Leadership matters more than tooling
Resilient organisations pair controls with disciplined governance: clear policies for secrets, opinionated build templates that enforce dependency hygiene, and incident playbooks that treat developer infrastructure as critical production.
Bottom line: Your code is more than just code—it’s your identity, your infrastructure, your business. Code repositories are prime attack surfaces because they concentrate identity, automation and trust. Reduce the blast radius by eliminating secrets from code, validating dependencies by default, and observing developer and pipeline activity with production-grade rigour – and you’ll deploy faster and safer.
Don’t wait for a breach. Secure your code, protect your IT environment, and defend your identity. Ask about Avocado’s identity scan. This scan will identify unmanaged identities including secrets, keys and tokens used in CI/CD pipelines and native cloud infrastructures.
How Avocado can help
- Audit secrets and unmanaged privileged/non-human accounts across repositories, CI/CD, cloud and SaaS; revoke stale credentials and right-size access.
- Comprehensive review of code repositories, from intellectual property to open-source packages. Ask about Avocado’s identity scan. This scan will identify unmanaged identities including secrets, keys and tokens used in CI/CD pipelines and native cloud infrastructures.
- Workload identity and secrets analysis mapped to OWASP Top 10 risks for non-human identities.
- Pipeline hardening from build to operate, including policy-as-code and runbook updates.
- DevSecOps enablement: embed developer-friendly controls (push protection, secret scanning at commit/push/build, policy-as-code, short-lived credentials) so secure practice is the default, not an afterthought.
