Avocado warns on code repository supply chain attacks

Avocado Consulting has urged Australian organisations to strengthen software supply chain security after the Australian Cyber Security Centre reissued a high alert on attacks targeting online code repositories. It is the second such alert in five months.

The warning highlights ongoing attacks on code repositories through social engineering, compromised credentials and authentication tokens, and package tampering. Avocado said the renewed alert showed the threat remained active and suggested some organisations had still not taken basic protective steps.

Code repositories sit at the centre of modern software development, storing source code and connecting to build pipelines, cloud services, and software packages. That makes them an attractive target for attackers seeking access to credentials, development workflows, and production systems.

According to Dennis Baltazar, Principal Cloud and DevSecOps Solutions at Avocado, the latest attacks stand out not only for their persistence but also for the methods being used.

"The fact that the ACSC has felt compelled to reissue this alert within five months is a clear signal that the threat has not abated - and that many organisations have yet to act," Baltazar said.

He said attackers were increasingly using techniques that blend into standard development activity rather than relying on obviously malicious software.

"Code repositories are under active attack. What's significant here is not just attacker capability but attacker tradecraft. This wave of repository targeting blends social engineering with living-off-the-land techniques - abusing legitimate tools and workflows so malicious activity looks like business as usual. Attackers don't need bespoke malware when pipelines are already paved for them," he said.

Secrets Risk

A central concern raised by the firm is what it describes as secrets sprawl, where keys, tokens, and other credentials are scattered across tools, vaults, logs, and codebases. In practice, that can allow a small lapse in one repository to spread into broader compromise across systems and accounts.

"The biggest blind spot we see isn't a zero-day, it's secrets sprawl. Keys and tokens in code or CI/CD logs turn a minor repo slip into organisation-wide compromise," Baltazar said.

Avocado urged organisations to carry out immediate audits to identify unmanaged privileged accounts and non-human identities, including service accounts, automation tools, and machine credentials used in pipelines and cloud platforms. If those identities are poorly controlled, they can become routes for lateral movement after an initial breach.

The consultancy also argued that secure development practices will only work consistently if they fit naturally into existing engineering workflows. It recommended centralising secrets, automating credential rotation, and building secret scanning and push protection into commit, push, and build stages.

"When Development and Security work from the same pipeline, security stops being a gate and becomes an accelerator. Give engineers guardrails - short-lived credentials, policy-as-code, and default secret detection - and you reduce incidents while increasing velocity," Baltazar said.

Priority Steps

The firm outlined three immediate priorities. First, remove secrets from code and pipelines, using token rotation and short-lived, limited credentials instead of long-lived access. Second, validate dependencies by default, including version pinning, integrity checks, and blocking unverified sources in CI/CD. Third, monitor the software development lifecycle with the same rigour as production environments so unusual developer or pipeline activity can be detected early.

Baltazar said the issue should concern senior leaders as well as technical teams.

"Leaders should ask two questions today: Do we know where secrets and privileged access still live in code, pipelines and SaaS integrations - and how fast can we rotate or remove them? And do we measure dependency integrity and anomalous pipeline behaviour with the same rigour we apply to production systems?" he said.

The alert comes as software supply chain risk remains a growing concern for businesses and government agencies, particularly as organisations rely more heavily on cloud services, open-source software, and automated deployment pipelines. A compromise in a code repository can expose intellectual property, disrupt operations, and provide a route into wider infrastructure.

Avocado warned that the consequences of inaction can range from exposure of cryptographic keys and passwords to cloud infrastructure compromise, identity theft, privilege escalation, and long-term reputational damage.

"Your code is more than just code - it's your identity, your infrastructure, your business; it accesses your critical data. Organisations should treat it like any other valuable asset by ensuring it is protected from vulnerabilities," Baltazar said.

"The risks of not taking action are exposure of cryptographic keys and passwords; cloud infrastructure compromise; identity theft and privilege escalation; and long-term reputational and operational damage," he said.

"Good security teams rotate secrets; great teams eradicate them from code, instrument their pipelines, and catch abuse in runtime before it becomes an incident," Baltazar said.