The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued an updated alert warning of increased targeting of online code repositories, urging Australian organisations that maintain developer repositories, publish public software packages, or rely on third-party packages to review controls and monitor for compromise.
The alert, dated 1 April 2026, says threat actors have been observed gaining access to online code repositories via phishing and vishing, social engineering, compromised credentials, compromised authentication tokens, and infected software packages.
Once access is obtained, the ACSC says actors have been seen modifying public packages to initiate supply-chain compromises, using open-source tools to scan repositories for cryptographic secrets, passwords and keys, extracting and leaking identified credentials publicly, and migrating private repositories to public repositories. The ACSC noted the activity often involves abuse of legitimate tooling and functions rather than custom-built tools.
The ACSC said exposed code bases can provide adversaries with insight into internal processes and systems, which can increase an organisation’s attack surface and enable further attacks.
In its mitigation advice, the ACSC recommended organisations investigate potentially affected systems by reviewing logs for recent package installations, suspicious processes and unexpected modifications in developer repositories, and analysing any system that hosted a compromised package for malicious activity. It also advised validating that only trusted and verified packages are in use and checking packages for signs of compromise before installation or updating.
The alert also called for user awareness efforts, including informing users about the risks associated with unverified and “under verified” software packages, and recommended using code repository platforms’ native security functions to detect malicious secret scanning. The ACSC further advised rotating any secrets found in repositories that are accessible from compromised systems.
For organisational leaders, the ACSC said the compromise of trusted software packages remains a significant and ongoing risk due to the widespread use of dependencies. It urged organisations to be able to rapidly identify which packages and versions are installed across their environments, and for leaders to be able to obtain timely and reliable answers from IT and cyber teams about software versions deployed on corporate devices.
The ACSC’s full alert is published on cyber.gov.au, and it directed victims of cybercrime to ReportCyber.
