What You Don't See Can Absolutely Hurt You

Author: Kathryn Guides, Founder & Managing Director, ORCA Opti

Date: 1 April 2026

Category: Cyber Supply Chain | GRC | Threat Intelligence

When I was about seven, my brother and I set off on our bikes to ride to our grandparents' house. The route took us down a big hill, the kind that feels like flying when you're a kid. I remember the speed building, the wind in my hair, and that pure, fearless thrill of going faster than I ever had (oh, and trying to keep up with my older brother).

I had no concept of what falling at that speed would actually mean.

I didn't see the rock until it was too late. A decent-sized stone, sitting right in my path. My front tyre hit it and I went down, hard. I ended up with a massive haematoma around my right eye that had everyone at school asking if I'd been in a boxing match.

I wasn't reckless. I just didn't know what I didn't know. The rock was always there. I just hadn't learned to scan for it yet.

This is how it is in cybersecurity, particularly when I read advisories like the one the Australian Signals Directorate's ACSC released today, warning of increased targeting of online code repositories.

Because right now, a lot of organisations are flying down that hill with the wind in their hair, and they haven't seen the rock yet.

The Rock in the Road

Today's ACSC alert details how threat actors are compromising online code repositories; the platforms where organisations and developers store, share, and manage their software code. The access methods are depressingly familiar: phishing, social engineering, stolen credentials, and compromised authentication tokens.

What happens after they get in is where it gets dangerous:

• Trusted public packages are being modified to launch supply chain compromises

• Repositories are being scanned for exposed secrets, passwords, and cryptographic keys

• Credentials are being extracted and leaked publicly

• Private repositories are being flipped to public

Here's the detail that should keep leadership teams up at night: the attackers are doing this using the platforms' own legitimate tools and native functions. Not custom malware. Not sophisticated zero-days. Just the built-in features, used against you.

"Nobody Would Bother Looking at Our Code"

There's a mindset that persists in too many organisations, one that essentially amounts to security through obscurity. The thinking goes: our repository is one of millions, our code isn't that interesting, we're not a big enough target. Nobody's going to stumble across our exposed credentials or our unverified package dependencies.

That thinking has always been risky. In 2026, it's downright dangerous.

Here's why: AI doesn't get tired. It doesn't overlook. It doesn't skip the boring repositories or decide your organisation isn't worth the effort. Automated tooling, including AI-driven scanning, can systematically comb through vast numbers of repositories looking for exactly the kinds of vulnerabilities the ACSC is flagging…  exposed secrets, hardcoded credentials, misconfigured access controls, and packages ripe for compromise.

Security through obscurity relied on the assumption that the sheer volume of targets provided a kind of camouflage. AI removes that camouflage entirely. Every stone gets turned. Every repository gets scanned. Every exposed secret gets found.

That rock in the road isn't hidden anymore. The question is whether you've learned to see it before you hit it.

Why This Isn't Just a Developer Problem

It's tempting to read an advisory about code repositories and file it under "something the dev team handles." That's a mistake.

When a compromised software package is embedded as a dependency, sometimes several layers deep. It can affect every system that relies on it. For organisations operating in commercial supply chains, defence, critical infrastructure, or any sector regulated under the Security of Critical Infrastructure Act (SOCI), a supply chain compromise of this nature can cascade quickly from a technical incident into a regulatory, operational, and reputational crisis.

The ACSC's advice to leaders is pointed: you should be able to ask your IT or cybersecurity team which software versions are deployed across your environment and get a timely, reliable answer. If you can't, you have a governance gap, not just a technical one.

Think of it this way: if a compromised package was identified in the wild tomorrow morning, could your organisation determine by tomorrow afternoon whether it's running in your systems? If the answer is "we'd need more time," you're riding downhill without scanning the road for rocks.

SBOMs: Your Safety Gear

The alert specifically points organisations toward Software Bill of Materials (SBOM) guidance. An SBOM is exactly what it sounds like, a detailed inventory of every software component in your environment, including versions, dependencies, and origins.

Without an SBOM capability, when a compromised package hits the news, your organisation is left scrambling. With one, you can assess relevance, scope impact, and act, in hours, not weeks.

For organisations in Five Eyes defence supply chains, SBOM maturity is quickly shifting from a best practice to a procurement and compliance expectation. If your GRC framework doesn't account for software supply chain visibility, the time to address that was yesterday.

What You Can Do Right Now

Drawing on the ACSC's mitigation guidance, here's where to focus:

Immediate actions: Audit your code repositories for exposed secrets and credentials. Most major platforms offer native secret scanning, turn it on if not already. Rotate any secrets that may have been exposed and review recent package installations for anything unexpected. Validate that only trusted, verified packages are in use.

Governance actions: Build or update your software supply chain risk policies. Ensure your organisation maintains an accurate, accessible inventory of deployed software packages and versions. Establish processes for ongoing monitoring.  Not just point-in-time audits. Recognise that AI-driven threats have fundamentally changed the threat landscape: obscurity is no longer a viable layer of defence.

Awareness actions: Brief your broader team,  not just developers, on the risks of unverified software packages and the social engineering tactics being used to compromise repository access. The ACSC's guidance on social engineering and living-off-the-land techniques is worth circulating across your organisation.

Where ORCA Opti Fits

At ORCA Opti, we built our platform for exactly this kind of challenge,  one where cybersecurity, compliance, and supply chain risk intersect.  Our solution is delivered within the Microsoft 365 environment your team already uses.

Whether you're mapping to the ISM, meeting SOCI obligations, working toward DISP compliance, or managing supplier risk across a defence supply chain, the ability to rapidly assess and respond to threats like this is core to what our GRC framework enables.

Software supply chain security isn't a one-off audit. It's an ongoing governance discipline, in an era where AI ensures no vulnerability goes unnoticed.  Organisations that treat it that way will be the ones still upright when everyone else is wondering what happened.

Learn to scan the road ahead (any maybe not keep up with the older sibling). The rocks are always there; you just need to see them before they get you.

Read the full ACSC alert: Ongoing targeting of online code repositories

Learn more about ORCA Opti: orcaopti.ai