Attackers are increasingly targeting the packages, editor extensions, and AI tool configurations found on developer workstations—not just production servers. To combat this threat, Perplexity has released an internal security tool as open source.
Perplexity has published Bumblebee on GitHub. This tool serves as a read-only inventory collector designed for macOS and Linux developer machines. Built entirely in Go with zero external dependencies, it is already deployed internally to safeguard developer systems connected to Perplexity’s search product, Comet browser, and Computer agent.
The Challenge Bumblebee Addresses
If you work as a software engineer or data scientist, you likely have dozens of packages installed on your local machine. Alongside these, you probably use editor extensions, browser add-ons, and potentially MCP (Model Context Protocol) configurations. When a newly discovered vulnerability emerges, your security team is left with one pressing question: which developer machines are currently exposed?
Current security tools fall short in providing complete answers. SBOMs (Software Bills of Materials) and vulnerability scanners only cover build artifacts and repositories. EDR (Endpoint Detection and Response) solutions track executed processes and network connections. Neither examines local developer environments—including lockfiles, package metadata, extension manifests, and AI tool settings scattered across a laptop’s filesystem.
Bumblebee bridges this gap. When an advisory identifies a specific package, extension, or version, it instantly identifies which machines contain matching metadata stored on disk. The tool’s ecosystem coverage was also carefully chosen: the supported ecosystems correspond to recent active supply-chain attacks, including the Mini Shai-Hulud campaign series that compromised npm, PyPI, RubyGems, Go modules, and Composer packages across companies such as TanStack, SAP, and Zapier.
How Bumblebee Operates
Bumblebee functions as a single-run scanner. Each execution performs one scan before exiting. The scanning frequency is managed by the operator—whether through cron, launchd, systemd, or MDM fleet management tools. It produces structured output in NDJSON (newline-delimited JSON) format, with one record per line, while diagnostic messages are sent to stderr.
The tool offers three scanning profiles. The baseline profile examines common global and user package directories, language toolchains, editor extensions, browser extensions, and MCP configurations. The project profile focuses on configured development directories like ~/code or ~/src. The deep profile scans operator-specified directories, typically encompassing an entire home directory during an active security incident.
Within Perplexity, Bumblebee operates as part of a five-step workflow. A threat indicator arrives from public disclosures or third-party intelligence feeds. Perplexity Computer then generates a catalog update, formatting the indicator as a structured entry containing ecosystem details, package name, and version—while also opening a GitHub PR with source references. A human developer reviews and merges the update. Bumblebee subsequently runs on endpoints with the updated catalog, and results are forwarded to the security team.
What Bumblebee Examines
Bumblebee inspects four key areas that existing tools typically address separately.
For language package managers, it processes data from npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer. It directly reads lockfiles and installed package metadata—sources such as package-lock.json, pnpm-lock.yaml,
go.sum, and *.dist-info/METADATA. Note that bun.lockb, Bun’s binary lockfile format, is not parsed in v0.1; only the text bun.lock format is supported.
For AI agent configurations, Bumblebee reads MCP JSON host configuration files: mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.json, and ~/.gemini/settings.json for Gemini CLI. Non-JSON MCP configurations such as Codex config.toml and Continue YAML are not parsed in v0.1. It scans these files to identify configured servers but does not extract environment values or environment key names found in env blocks.
For editor extensions, it reads manifests from VS Code, Cursor, Windsurf, and VSCodium. For browser extensions, it covers Chromium-family browsers — Chrome, Comet, Edge, Brave, and Arc — plus Firefox.
Why Read-Only
npm packages can include postinstall scripts that run automatically during npm install. A scanner that calls npm to assess exposure has already triggered the very attack it was trying to detect. Bumblebee sidesteps this risk entirely by never executing install scripts or lifecycle hooks, never calling npm, pnpm, bun, or pip, never reading application source files, and performing no process or network monitoring. It is not an EDR.
Output and Exposure Catalog
Each package record includes the hostname, OS, architecture, ecosystem, package name, version, source file, and a confidence field. Confidence is high when the exact identity and version were obtained from canonical metadata, medium when the identity is reliable but the version or source is incomplete, and low when only a config path or spec reference was found.
Security teams provide their own exposure catalogs — simple JSON files that define the ecosystem, package name, and affected versions. When Bumblebee finds a match, it generates a finding record that includes severity, catalog ID, and supporting evidence. Each finding is fully traceable to the specific catalog entry that triggered it. The repository also includes a threat_intel/ directory containing regularly updated exposure catalogs built from public supply-chain campaign reports.
Getting Started
Bumblebee requires Go 1.25 or later. Install it with:
go install github.com/perplexityai/bumblebee/cmd/bumblebee@latestAfter installation, run bumblebee selftest to verify the binary works correctly against embedded test fixtures. The tool is licensed under Apache License 2.0. The current release is v0.1.1.
Key Takeaways
- Bumblebee is Perplexity’s open-source, read-only developer endpoint scanner designed for supply-chain exposure checks.
- It supports npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, MCP configs, editor extensions, and browser extensions.
- Three scan profiles —
baseline,project, anddeep— support both routine inventory and active incident response. - The tool never executes install scripts or invokes package managers, preventing scan-triggered attacks.
- Built in Go with zero non-standard-library dependencies; available now on GitHub under Apache 2.0.
Check out the GitHub Repo and Technical details. Also, feel free to follow us on Twitter and don’t forget to join our 150k+ ML SubReddit and subscribe to our Newsletter. Wait! Are you on Telegram? Now you can join us on Telegram as well.
Need to partner with us for promoting your GitHub Repo OR Hugging Face Page OR Product Release OR Webinar etc.? Connect with us
