Australia's Code Repositories Are Under Active Attack.

The Second Warning in Five Months Should Settle ANY Debate.

The Australian Signals Directorate's Australian Cyber Security Centre issued its first alert about the targeting of online code repositories in September 2025. Organisations were urged to act. Many did not.

On 1 April 2026, the ASD's ACSC issued the same warning again. Rated "High Alert: Act Quickly." Directed explicitly at organisation leaders, not just IT teams. The language is harder this time. The implication is clear.

The threat has not abated. And for Australian and New Zealand organisations that rely on third-party software, the window to act is narrowing.

What Is Actually Happening

Code repositories are where software lives. GitHub, GitLab, and similar platforms host the building blocks of modern business applications. Your internal development team uses them. So do the vendors whose software you buy and the managed service providers who support your environment.

Threat actors have been observed gaining access to these repositories through phishing and vishing, social engineering, compromised credentials, compromised authentication tokens, and infected software packages.

Once inside, the activity is methodical. Actors have been modifying public packages to initiate supply-chain compromises, running open-source tools to scan for cryptographic secrets, passwords and sensitive keys, extracting and leaking identified credentials publicly, and migrating private repositories to public repositories.

Here is what makes this particularly difficult to detect. Threat actors are abusing legitimate tooling and functions to achieve these results, rather than bespoke tooling. The activity looks like normal developer behaviour. It blends in. Standard monitoring often misses it entirely.

Why This Is a Board-Level Issue

Many organisations will read "code repository attack" and delegate it to their IT team. That instinct is understandable. It is also wrong.

This is a supply chain risk. And supply chain risk is squarely within the remit of senior leadership.

The compromise of trusted software packages presents a significant and ongoing risk for organisations, as these packages are often widely used and embedded as dependencies within other software, increasing the potential impact when vulnerabilities are identified.

For Australian entities regulated under APRA CPS 230, the obligations are explicit. Material service providers and third-party software dependencies must be identified, assessed, and actively managed. A compromised package embedded in a vendor's product, silently exfiltrating credentials or providing a foothold for a future attack, is precisely the kind of operational risk CPS 230 was designed to address.

For any organisation holding personal information under the Privacy Act 1988, or in New Zealand under the Privacy Act 2020, the downstream exposure from a supply chain compromise can trigger mandatory notification obligations. Credentials extracted from a repository. Systems accessed. Data exfiltrated. The chain of consequence moves quickly.

The Question Leaders Should Be Asking Right Now

The ASD's ACSC has been direct on this point: leaders should be able to ask their IT or cyber security teams which software versions are deployed on corporate devices and receive timely, reliable responses.

That is a governance test. Not a technical one.

If you asked that question today and could not get a clear, complete answer within 24 hours, your organisation has a visibility problem. And visibility gaps are exactly what threat actors depend on.

The practical questions worth putting to your team are straightforward:

Do we know every third-party software package running in our environment, including the specific versions? Do we have a process for monitoring when those packages are updated or compromised? Do we receive alerts when credentials appear in public repositories? Are we enforcing multi-factor authentication on all developer accounts and repository access, not just corporate systems?

These are not technical questions. They are risk management questions. The answers will tell you quickly whether your software supply chain is being actively governed or simply assumed to be secure.

What the ASD's ACSC Wants You to Do

The advisory is consistent with the guidance that underpins the ASD Essential Eight. Patch applications. Control what software runs in your environment. Limit privileged access. Enforce MFA.

None of these mitigations are novel. What is significant is that the ASD's ACSC has now issued a "High Alert: Act Quickly" advisory on this specific threat category twice in five months. That frequency is unusual. It reflects a persistent, active campaign, not a passing risk.

For Australian and New Zealand mid-market organisations, the practical priority is threefold.

1. First, establish a software inventory that is accurate and maintained, not a document that was last updated at a point-in-time audit.

2. Second, confirm that MFA is enforced on every account with access to code repositories, including third-party and contractor accounts.

3. Third, ask your IT or security provider whether repository access and package integrity are being actively monitored.

The Advice Has Been Given Twice

The ASD's ACSC does not reissue high-priority alerts without reason. This is a signal that organisations acted too slowly after September 2025, and that the campaign targeting Australian and New Zealand organisations continues.

Supply chain attacks are hard to detect precisely because they exploit trust. Trusted packages. Trusted vendors. Trusted workflows. The defence is not to eliminate trust but to verify it continuously and systematically.

That is a governance discipline. It belongs on the board agenda.

How Insicon Cyber Can Help

Insicon Cyber's Board Cyber Advisory service is designed for exactly this kind of challenge. We work with boards and executive teams across Australia and New Zealand to translate active threat intelligence into governance action. That means helping your leadership team ask the right questions, assess the right risks, and build the oversight disciplines that regulators and auditors increasingly expect to see.

If the ASD's ACSC alert has raised questions your current team cannot answer with confidence, that is a conversation worth having. Talk to us about Board Cyber Advisory

Source: ASD's ACSC Advisory, "Ongoing Targeting of Online Code Repositories," last updated 1 April 2026 -- https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-targeting-of-online-code-repositories