Dev Machine Guard
The developer machine changed. Your visibility didn't.
Laptops hold GitHub tokens, npm publish rights, SSH keys, and cloud credentials. They now also run AI coding agents and MCP servers that install and execute code on their own. Dev Machine Guard inventories all of it, checks it against StepSecurity threat intelligence, and gives you policy to control what runs.
Claude CodeCLI Tool · Anthropic214 devices
CursorIDE · Cursor187 devices
OllamaFramework · OpenSource43 devices
npx~server-filesystemMCP server · cursor, windsurf96 devices
prettier-vscodeVS Code extension✓ approved
themes-plus-proOpen VSX extension✗ flagged
Inventory
Everything on the machine that can run code
Dev Machine Guard watches the software traditional tools never see, and keeps a live inventory across the whole organization.
AI coding agentsEvery CLI assistant, IDE agent, and local AI runtime across the fleet: Claude Code, Codex, Cursor, Ollama, and more, with vendor and device counts.IDE & AI Agents docs ↗
MCP serversEvery MCP server configured on any machine, which AI tools registered it, and which devices run it.MCP Servers docs ↗
IDE extensionsExtensions across VS Code, Cursor, JetBrains, and Windsurf, including marketplaces like Open VSX, with a risk score for each.IDE Extensions docs ↗
Packages on disknpm and Python packages installed on developer machines, checked continuously against threat intelligence.Packages docs ↗
Suspicious filesFiles that execute outside package lifecycles: a malicious binding.gyp, a Claude Code setup hook, a Cursor rules file. Detection rules are maintained by StepSecurity, with nothing to configure.Suspicious Files docs ↗
Attributed to the deviceEvery finding carries the device identifier, so "which machines have it?" is a query, not a survey. Pair with Secure Registry to attribute package pulls too.Explore Secure Registry →
Why now
This is where attacks start now
Four incidents in under a year targeted developer machines directly. Each one ran with developer privileges before any code reached CI.
May 2026Nx Console VS Code extensionA poisoned release with over 2 million installs stole GitHub, npm, and cloud tokens from developer laptops.
Oct 2025GlassWorm on Open VSXCompromised extensions spread through a marketplace most security tools never inspect.
Sep 2025Shai-Hulud wormSelf replicating npm malware harvested credentials from developer environments across 500+ packages.
Aug 2025S1ngularity Nx breachThe first known attack to harness developer facing AI CLI tools.
From visibility to policy
See it, then control it
Inventory is the starting point. Dev Machine Guard turns it into enforcement.
Device PolicyBuild approved extension sets from the inventory you already have, bundle them into profiles, and deliver them through your MDM. Policies compile to the IDE's native format, like VS Code's extensions.allowed, enforced on the device itself.Device Policy docs ↗
Cooldowns for local installsRoute laptop installs through Secure Registry. Cooldown windows and compromised version blocking apply on developer machines exactly as they do in CI.Explore Secure Registry →
Threat intel detectionsThe inventory is checked continuously against StepSecurity threat intelligence. When an extension or package is compromised, you know which machines have it within minutes.Detections docs ↗
Deployment
Not an MDM. Not an EDR. Built to ride the tools you have.
Dev Machine Guard is a lightweight, script based capability. One push from Intune, SCCM, or Jamf deploys it across the fleet on macOS, Windows, and Linux.
Signed and verifiedThe loader verifies an Ed25519 signed manifest and the binary's SHA-256 before anything executes. The binary itself is public on GitHub Releases.
Nothing new to operateNo console to babysit and no rules to hand tune. Detections are maintained centrally by StepSecurity and your fleet is evaluated against them automatically.
Four steps to a packageAn installation wizard generates a ready to deploy package for each operating system, with the telemetry key baked in.Installation docs ↗
StepSecurity's cutting-edge security features are a core part of Mercari's supply chain security strategy. Adding these isolation, monitoring and governance capabilities to our platform has enabled Mercari's Security Engineering team to spend more time focusing on the areas that are truly unique to our enterprise.
Allan Wirth
Manager of Platform and AI Security, Mercari
