DEV Machine Guard has been open-sourced, with StepSecurity releasing the core scanning engine so developers and security teams can gain visibility into what runs on a developer machine. The project is described as a single bash script that inventories IDEs, AI agents, MCP server configurations, IDE extensions, and Node[.]js packages, and it can output in colour, JSON, or a self-contained HTML report.
The article notes that the developer tooling layer is a major attack surface, capable of exposing GitHub tokens, npm credentials, SSH keys, and cloud access, and it highlights AI coding agents such as Claude Code and GitHub Copilot as contributors to this expansion.
The open-source code is hosted at github[.]com/step-security/dev-machine-guard, and the script can be run locally or deployed across fleets via enterprise MFA tools, with enterprise mode sending data to StepSecurity’s backend when credentials are provided.
The post, published on 12 March 2026, also references previous StepSecurity disclosures about supply chain incidents that involved npm packages and AI tooling, including the Shai-Hulud campaign that led to a CISA advisory after compromising more than 500 packages.