https may hurt more than it helps in this case. One well crafted email asking for help to debug a script on github is all it takes to get sudo on up to 10% of the laptops in a company. Developers are just too darn helpful. :-) Unless you enforce full tunnel vpns on all laptops and force all outbound connections through MITM proxies, there is really no way to stop this. Anti-malware and anti-virus software will rarely detect a malicious python, ruby, perl, bash script and simply connects outbound and downloads / executes a payload. Even DNS can be used to fetch the payload.
If you are a startup with limited resources, keep things as simple as you can. Back up your code, artifacts and customer data somewhere that automation and malware can not tamper with it. Encrypt your customer backups. Challenge your staff to automate patching of your endpoints, your servers, your virtual machine images, etc... Challenge them to create build systems that produce lean, fully patched images with software that only comes from trusted sources. Images for laptops, images you run in dev, images you run in production. Have a manifest of every piece of software, every library, every snippet of code your teams utilize. This will be helpful down the road when you have grown and your legal team want to do a software license review. If using AWS, set up automation to audit and report on public S3 buckets.
If you are a startup with limited resources, keep things as simple as you can. Back up your code, artifacts and customer data somewhere that automation and malware can not tamper with it. Encrypt your customer backups. Challenge your staff to automate patching of your endpoints, your servers, your virtual machine images, etc... Challenge them to create build systems that produce lean, fully patched images with software that only comes from trusted sources. Images for laptops, images you run in dev, images you run in production. Have a manifest of every piece of software, every library, every snippet of code your teams utilize. This will be helpful down the road when you have grown and your legal team want to do a software license review. If using AWS, set up automation to audit and report on public S3 buckets.