Avocado Consulting has urged Australian organisations to strengthen software supply chain security following a renewed high alert from the Australian Cyber Security Centre (ACSC) warning of ongoing attacks targeting online code repositories. The advisory, reissued for the second time in five months, highlights the persistence of threats exploiting weaknesses in modern development environments.
The alert points to a range of attack methods, including social engineering, compromised credentials and authentication tokens, and tampering with software packages. According to Avocado, the repeated warning signals that many organisations have yet to implement even basic security controls, leaving critical development infrastructure exposed.
Code repositories play a central role in modern software development, acting as hubs that store source code and connect with build pipelines, cloud platforms, and third-party dependencies. This interconnected nature makes them highly attractive targets for attackers seeking access to sensitive credentials, development workflows, and production systems.
Dennis Baltazar, Principal Cloud and DevSecOps Solutions at Avocado Consulting, emphasized that the latest wave of attacks is notable not only for its persistence but also for the sophistication of its execution. He explained that attackers are increasingly leveraging “living-off-the-land” techniques – abusing legitimate tools and workflows to blend malicious activity into normal development processes, making detection significantly more difficult.
A key concern highlighted by Avocado is the growing issue of “secrets sprawl,” where sensitive credentials such as API keys, tokens, and passwords are distributed across codebases, CI/CD pipelines, logs, and cloud environments. This fragmentation increases the risk that a single exposed repository could lead to widespread compromise across systems and accounts.
To address these risks, Avocado is advising organisations to conduct immediate audits of privileged accounts and non-human identities, including service accounts, automation tools, and machine credentials. Poorly managed identities can serve as entry points for attackers, enabling lateral movement within systems after an initial breach.
The consultancy also stressed that secure development practices must integrate seamlessly into existing engineering workflows to be effective. Recommendations include centralising secrets management, automating credential rotation, and embedding security controls such as secret scanning and push protection directly into development pipelines.
Avocado outlined three priority actions for organisations. First, eliminate secrets from code and pipelines by adopting short-lived credentials and regular token rotation. Second, enforce dependency validation through measures such as version pinning, integrity checks, and blocking unverified sources within CI/CD environments. Third, implement continuous monitoring across the software development lifecycle to detect unusual activity in developer behavior or pipeline processes at an early stage.
Baltazar noted that software supply chain security is not solely a technical issue but a strategic concern for business leaders. He urged executives to evaluate their visibility into where sensitive credentials reside and how quickly they can be rotated or removed, as well as whether dependency integrity and anomalous pipeline activity are monitored with the same rigor as production systems.
The renewed alert comes amid growing concern over software supply chain risks, as organisations increasingly depend on cloud services, open-source components, and automated deployment pipelines. A compromise within a code repository can expose intellectual property, disrupt operations, and provide attackers with a pathway into broader infrastructure.
Avocado warned that failure to act could result in severe consequences, including exposure of cryptographic keys and passwords, cloud infrastructure breaches, identity theft, privilege escalation, and long-term reputational damage.
Baltazar concluded by emphasizing the importance of proactive security measures, stating that while good security teams rotate secrets, leading organisations go further by eliminating them from code, instrumenting their pipelines, and detecting abuse in real time before it escalates into a full-scale incident.
Recommended Cyber Technology News :
- Veracode Introduces Platform Improvements as Software Supply Chain Attacks Increase
- Hunted Labs Launches Entercept, an AI-Powered Platform to Stop Software Supply Chain Attacks
- Ransomware-as-a-Service, Supply-Chain Attacks, Geopolitical Issues Complicate OT/ICS Cybersecurity
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
