Until today, Dev Machine Guard ran on macOS. With this release, it also runs natively on Windows. The same scanning engine, the same enterprise dashboard, the same policies, now extended to the Windows developer machines in your fleet.
If you already use Dev Machine Guard on macOS, there is nothing new to learn. Run the binary on a Windows machine, point it at your tenant, and Windows developers start appearing in the dashboard alongside the rest of your fleet.
Why Windows Coverage Matters
A modern Windows developer machine is just as exposed as a macOS one, and in many enterprises it is the dominant platform. The same attack surfaces apply:
- AI coding agents like GitHub Copilot, Cursor, and Claude installed with elevated permissions
- MCP servers configured to connect those agents to internal systems, repositories, and credentials
- IDE extensions auto-updating in the background across VS Code, Cursor, and JetBrains products, pulled from both the VS Code Marketplace and the OpenVSX registry
- npm packages installed globally and across project directories
- Local processes and shell tooling with access to credentials and source code
Until this release, security teams running mixed fleets had a real visibility gap. macOS developer machines were inventoried by Dev Machine Guard, while Windows machines were either covered by partial scripts shared over Slack or not covered at all. That gap is exactly what attackers target during a supply chain incident, when the question "which of our developers actually have this compromised package or extension installed?" needs an answer in minutes, not days.
Real Incidents That Drove This Work
Dev Machine Guard exists because supply chain attacks against developer machines are no longer hypothetical. In the last twelve months alone, our research team has tracked:
- The Shai-Hulud npm worm campaign, which compromised 500+ packages and earned a CISA advisory, propagating through CI/CD and developer environments
- The s1ngularity Nx compromise, which weaponized AI CLI tools on developer machines to exfiltrate credentials
- The Mini Shai-Hulud wave hitting TanStack and other widely used npm packages, including OIDC token theft from GitHub Actions runners
In each incident, the hardest follow-up question was the same:
Which developer machines in our organization have the affected package, extension, or agent installed right now?
On macOS, Dev Machine Guard already answered that in one query. With Windows support, security teams can now answer it across their full Windows and macOS fleet from the same dashboard.
What Is Included in This Release
Platform
- Windows 10 and Windows 11 developer machines
- Both AMD64 (x64) and ARM64 binaries, signed with Sigstore and published with build provenance
Coverage
- AI coding agents, including Claude, Cursor, GitHub Copilot, and Codex
- AI CLI tools running on the machine
- IDE extensions from both the VS Code Marketplace and the OpenVSX registry, across VS Code, Cursor, Windsurf, Antigravity, and JetBrains products
- Installed IDEs and editor versions
- MCP server configurations across supported agents
- npm packages, both globally installed and per-project
- Local frameworks, processes, and shell tooling
- Device inventory: hostname, OS version, serial number
How Windows detections work
Dev Machine Guard uses native Windows mechanisms instead of trying to fake a Unix environment:
- Application discovery uses
%LOCALAPPDATA%,%PROGRAMFILES%, and$PATHlookups
- Version information is read from the Windows Registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall) rather than macOS Info.plist files
- Scheduled scanning uses Windows Task Scheduler via schtasks, in the same way macOS uses launchd
- File path handling uses filepath.Join throughout, so directory layouts work correctly under Windows drive letters and backslashes
Modes
- Community mode runs fully locally, with nothing leaving the machine
- Enterprise mode reports scan results to the StepSecurity backend for centralized visibility, policy enforcement, and historical reporting. The tier model is identical to macOS.
How To Get Started
Windows uses the same binary and the same commands as macOS.
For full rollout guidance, including MDM and Group Policy deployment, see the Installation Script documentation.
Community Tier
For individual developers and open-source maintainers, the open-source binary is free and runs entirely locally. It produces a JSON or HTML report of everything installed on the machine, with no data sent anywhere.
The GitHub repository, including all detection logic, is available at github.com/step-security/dev-machine-guard.
Enterprise Tier
For organizations rolling out across a Windows developer fleet, the Enterprise Tier adds:
- Centralized dashboard with per-device drill-down
- Policy enforcement for IDE extensions, MCP servers, AI agents, and packages
- Cooldown periods on newly published npm and PyPI packages
- Alerting on compromised dependencies, malicious extensions, and unapproved MCP servers
- Historical reporting and incident triage across the entire fleet
One Engine, macOS and Windows
Dev Machine Guard is built around a single open-source scanning engine. The same binary now runs on macOS and Windows. The same detections are added once and benefit both platforms. The same policies apply across your fleet from one dashboard.
If you have been waiting for Windows coverage before rolling Dev Machine Guard out to your full developer organization, this is the release that closes the gap. Try it on your Windows machines, and let us know what you find.
If you run into any issues or have detection suggestions, please open an issue at github.com/step-security/dev-machine-guard/issues.
Welcome to Windows.
