Attackers are increasingly targeting packages, editor extensions, and AI tool configurations on developer machines and not just production systems. Perplexity has an internal open source tool they use to address this issue.
Perplexity has released Bumblebee on GitHub. The tool is a read-only repository collector for macOS and Linux developer endpoints. It is written entirely in Go and carries no dependencies other than stdlib. Perplexity already uses it internally to protect developers’ systems behind its search product, Comet browser, and computer agent.
The problem that Bumblebee solves
If you’re a software engineer or data scientist, you probably have dozens of packages installed locally. You have editor extensions, browser add-ons, and possibly MCP (Model Context Protocol) configurations on your device. When a new vulnerability emerges, your security team faces an urgent question: Which developer devices are now exposed?
Existing tools do not fully answer this. SBOMs (Software Bills of Materials) and vulnerability scanners cover build and repository objects. EDR (Endpoint Detection and Response) products track processes started or touched in the network. Neither of them checks the state of the local developer – lock files, package metadata, extension data, and AI tool configurations spread across the laptop’s file system.
Bumblebee fills this gap. When a tip names a package, extension, or release, it responds to devices that now show a match in their on-disk metadata. The scope of the ecosystem was intentional as well: a map of the ecosystems covered for recent active supply chain campaigns, including the Mini Shai-Hulud series, which reached npm modules, PyPI, RubyGems, Go, and Composer packages across companies including TanStack, SAP, and Zapier.
How does Bumblebee work?
Bumblebee is a one-shot scanner. Each call performs one check and exits. Cadence is the responsibility of the operator – cron, launchd, systemd, or MDM fleet tools. It outputs structured records as NDJSON (newline delimited JSON), one per line, with diagnostics going to stderr.
The tool supports three scanning profiles. the baseline The profile examines global package roots, user package roots, language toolchains, editor extensions, browser extensions, and MCP configurations. the project Profile objectives Development guides are configured e.g ~/code or ~/src. the deep The profile clears operator-supplied roots, and the root directory is usually stripped during an active incident.
Internally, Perplexity uses Bumblebee within a five-step workflow. The threat signal arrives through public disclosures or third-party information feeds. Perplexity Computer then formats the catalog update, inputs the signal as a structured entry with the ecosystem, package name, and version – and opens the GitHub PR with the source links. The human developer reviews and integrates the PR. Bumblebee then runs the endpoints using the updated catalog, and the results are shared with the security team.
What a bee wipe
Bumblebee covers four surface areas that existing tools normally handle separately.
For language pack managers, it reads from npm, pnpm, Yarn, Bun, PyPI, Go, RubyGems, and Composer modules. It reads the lock files and metadata of the installed package directly – sources e.g package-lock.json, pnpm-lock.yaml, go.sumand *.dist-info/METADATA. Note that bun.lockb,Bun’s binary lock file format, is not parsed in version 0.1; Text only bun.lock Format supported.
For AI agent configurations, Bumblebee reads MCP JSON host configuration files: mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.jsonand ~/.gemini/settings.json For Gemini CLI. Non-JSON MCP configurations such as Codex config.toml and follow-up YAML are not parsed in version 0.1. It parses these files to the server repository but does not export the environment values or the names of the environment keys contained within them env Blocks.
For editor extensions, it reads data from VS Code, Cursor, Windsurf, and VSCodium. As for browser extensions, it covers Chromium family browsers – Chrome, Comet, Edge, Brave, and Arc – as well as Firefox.
Why read-only?
It can carry npm packages postinstall Automatically executed scripts npm install. The scanner that npm calls to check exposure has already launched the attack it was looking for. Bumblebee completely avoids this by never running installation scripts or lifecycle hooks, never calling npm, pnpm, cookie, or pip, never reading application source files, and never performing any network operation or monitoring. It’s not EDR.
Output and exposure catalog
Each package record includes the hostname, operating system, architecture, ecosystem, package name, version, source file, and confidence area. Trust is high When the exact identity and version come from the underlying metadata, medium When the identity is reliable but the version or source is partial, and low Only when the configuration path or specification reference is found.
Security teams provide their own exposure catalogs – simple JSON files that identify the ecosystem, package name, and versions affected. When Bumblebee finds a match, it issues a detection log that includes the severity, catalog ID, and evidence. Each hit can be completely traced back to whatever catalog entry gave rise to it. The repo also includes a threat_intel/ Directory containing maintained exposure catalogs created from public supply chain campaign reports.
Never
Bumblebee requires version 1.25 or later. Installation with:
go install github.com/perplexityai/bumblebee/cmd/bumblebee@latestAfter installation, bumblebee selftest Verifies that the binary is working properly against built-in constructs. The tool is licensed under the Apache 2.0 License. The current version is v0.1.1.
Key takeaways
- Bumblebee is Perplexity’s open source, read-only developer endpoint scanner for supply chain exposure checks.
- It covers npm, pnpm, Yarn, Bun, PyPI, Go, RubyGems, Composer modules, MCP configurations, editor extensions, and browser extensions.
- Three scanning profiles –
baseline,projectanddeep– Support routine inventory and active incident response. - The tool never executes installation scripts or calls package managers, preventing scan-triggered attacks.
- Built into Go with no dependencies other than stdlib; Now available on GitHub under Apache 2.0.
verify GitHub repo and Technical details. Also, feel free to follow us on twitter Don’t forget to join us 150k+ mil SubReddit And subscribe to Our newsletter. I am waiting! Are you on telegram? Now you can join us on Telegram too.
Do you need to partner with us to promote your GitHub Repo page, face hug page, product release, webinar, etc.? Contact us
