With this release, Dev Machine Guard runs natively on Linux. Combined with the macOS and Windows builds already in the field, the same scanning engine now covers every developer machine in your fleet.
If you already use Dev Machine Guard on macOS or Windows, there is nothing new to learn. Install the .deb or .rpm, point it at your tenant, and your Linux developers start appearing in the dashboard alongside everyone else.
Why Linux Coverage Matters
Linux is the operating system of choice for the developers most likely to hold the keys to production:
- Backend engineers, SREs, and platform teams running staging environments locally
- AI and machine-learning developers who need GPU access and CUDA toolchains
- Open-source maintainers shipping packages used by millions of downstream projects
- Security researchers and DevOps teams working in production-mirrored environments
These are exactly the developer machines an attacker most wants to compromise. They hold publishing tokens for npm and PyPI, SSH keys into production, GitHub credentials with elevated scopes, and direct access to CI/CD systems. Yet for many organizations, Linux developer machines have been the least-monitored corner of the fleet, falling between a traditional MDM that does not understand developer workflows and an EDR that does not understand supply chain risk.
Until this release, security teams running mixed fleets had a real visibility gap. macOS and Windows developer machines were inventoried by Dev Machine Guard, while Linux machines were either covered by partial scripts or not covered at all. That gap is exactly what attackers target during a supply chain incident, when the question "which of our developers actually have this compromised package or extension installed?" needs an answer in minutes, not days.
Real Incidents That Drove This Work
Dev Machine Guard exists because supply chain attacks against developer machines are no longer hypothetical. In the last twelve months alone, our research team has tracked:
- The Shai-Hulud npm worm campaign, which compromised 500+ packages and earned a CISA advisory, propagating through CI/CD pipelines and developer environments alike
- The s1ngularity Nx compromise, which weaponized AI CLI tools on developer machines (most of them Linux and macOS) to exfiltrate credentials
- The Mini Shai-Hulud wave hitting TanStack and other widely used npm packages, including OIDC token theft from GitHub Actions runners
In each incident, the hardest follow-up question was the same:
Which developer machines in our organization have the affected package, extension, or agent installed right now?
On macOS and Windows, Dev Machine Guard already answered that in one query. With Linux support, security teams can now answer it across the entire fleet from the same dashboard.
What Is Included in This Release
Platform
- Linux on AMD64 (x86_64), shipped as both .deb and .rpm packages
- Tested on Debian and RPM based of distributions
- All release artifacts signed with Sigstore, with build provenance attestations
Coverage
- AI coding agents installed on the machine, including Claude, Cursor, GitHub Copilot, and Codex
- AI CLI tools running on the machine
- IDE extensions from both the VS Code Marketplace and the OpenVSX registry, across VS Code, Cursor, Windsurf, and JetBrains products
- JetBrains IDEs (IntelliJ IDEA, PyCharm, GoLand, WebStorm, RubyMine, CLion, Rider, PhpStorm, DataGrip, RustRover, Aqua, DataSpell, AppCode)
- MCP server configurations across supported agents
- npm packages, both globally installed and per-project
- Linux system packages, including rpm, dpkg, pacman, apk, snap, flatpak
- Local frameworks, processes, and shell tooling
- Device inventory: hostname, distro and kernel version, BIOS serial number
How Linux detections work
Dev Machine Guard uses native Linux mechanisms instead of trying to emulate macOS conventions:
- Application discovery uses /opt/, /usr/share/*.desktop entries, and $PATH lookups
- Device identity is derived from the BIOS serial number, since Linux does not expose a macOS-style hardware serial
- Scheduled scanning uses a systemd user timer, installed under the developer's own user account. No root daemon, no system-wide service, no manual unit-file editing
- Package detection uses each manager's native query: rpm -qa for RPM, snap list for Snap, flatpak list for Flatpak
Modes
- Community mode runs fully locally, with nothing leaving the machine
- Enterprise mode reports scan results to the StepSecurity backend for centralized visibility, policy enforcement, and historical reporting. The tier model is identical to macOS and Windows.
How To Get Started
For full rollout guidance, see the Installation Script documentation.
Community Tier
For individual developers and open-source maintainers, the open-source binary is free and runs entirely locally. It produces a JSON or HTML report of everything installed on the machine, with no data sent anywhere.
The GitHub repository, including all detection logic, is available at github.com/step-security/dev-machine-guard.
Enterprise Tier
For organizations rolling out across a Linux developer fleet, the Enterprise Tier adds:
- Centralized dashboard with per-device drill-down
- Policy enforcement for IDE extensions, MCP servers, AI agents, and packages
- Cooldown periods on newly published npm and PyPI packages
- Alerting on compromised dependencies, malicious extensions, and unapproved MCP servers
- Historical reporting and incident triage across the entire fleet
One Engine, Every Developer Machine
Dev Machine Guard is built around a single open-source scanning engine. The same binary now runs on macOS, Windows, and Linux. The same detections are added once and benefit every platform. The same policies apply across your fleet from one dashboard.
If you have been waiting for Linux coverage before rolling Dev Machine Guard out to your full developer organization, this is the release that closes the gap. Try it on your Linux machines, and let us know what you find.
If you run into any issues or have detection suggestions, please open an issue at github.com/step-security/dev-machine-guard/issues.
Welcome to Linux.
