PRESS RELEASE
Avocado Consulting urges action after ASD High alert on code-repository targeting
Avocado Consulting is urging Australian organisations to take practical steps to harden their software supply chains following a High Alert issued on 19 September 2025 by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
The alert highlights ongoing targeting of online code repositories including access gained via social engineering, compromised credentials and authentication tokens, and package tampering.
“Code repositories are under active attack,” says Dennis Baltazar, Principal Cloud and DevSecOps Solutions at Avocado Consulting.
“What’s significant here, is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering with living-off-the-land (LOTL) techniques – abusing legitimate tools and workflows so malicious activity looks like business as usual, says Dennis Baltazar.
Attackers don’t need bespoke malware when pipelines are already paved for them,” adds Baltazar.
Baltazar says that secrets sprawl – scattered secrets across multiple vaults and tools – is a key risk.
“The biggest blind spot we see isn’t a zero-day, it’s secrets sprawl. Keys and tokens in code or CI/CD logs turn a minor repo slip into organisation-wide compromise,” said Dennis Baltazar.
He also advises immediate audits to identify and remediate unmanaged privileged and non-human accounts before they become pathways to lateral movement.
Avocado emphasises that effective secrets management is as much a developer-experience challenge as a security one. The goal is to make secure workflows the path of least resistance: centralise secrets, automate rotation, and build push-protection/secret scanning into commit, push and build – so teams move faster and safer without bolting security on at the end.
“When Development and Security work from the same pipeline, security stops being a gate and becomes an accelerator. Give engineers guardrails short-lived credentials, policy-as-code, and default secret detection and you reduce incidents while increasing velocity,” says Dennis Baltazar.
Baltazar says, “Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations – and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?”
Baltazar says if these core questions are not understood an actioned organisations may be at risk.
“Your code is more than just code – it’s your identity, your infrastructure, your business – it accesses your critical data. Organisations should treat it like any other valuable asset by ensuring it is protected from vulnerabilities,” says Baltazar.
“The risks of not taking action are exposure of cryptographic keys and passwords; cloud-infrastructure compromise; identity theft and privilege escalation; and long-term reputational and operational damage,” Baltazar warns.
“Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident,” Baltazar added.
Baltazar recommends taking the 4 following steps. For full insights, including the first 72 hours plan and subsequent 7-day plan, read his full blog
How Avocado can help.
- Audit secrets and unmanaged privileged/non-human accounts across repositories, CI/CD, cloud and SaaS; revoke stale credentials and right-size access.
- Comprehensive review of code repositories, from intellectual property to open-source packages. Ask about Avocado’s identity scan. This scan will identify unmanaged identities including secrets, keys and tokens used in CI/CD pipelines and native cloud infrastructures.
- Workload identity and secrets analysis mapped to OWASP Top 10 risks for non-human identities.
- Pipeline hardening from build to operate, including policy-as-code and runbook updates.
- DevSecOps enablement: embed developer-friendly controls (push protection, secret scanning at commit/push/build, policy-as-code, short-lived credentials) so secure practice is the default, not an afterthought.
Media contact
Amy Kitson: [email protected] | 0455 515 060
About Avocado Consulting
Avocado Consulting helps organisations deliver with certainty across cloud, security, testing and DevSecOps – uplifting teams and hardening platforms with practical, outcome-focused services.
