{"id":92391,"date":"2026-05-23T16:57:44","date_gmt":"2026-05-23T16:57:44","guid":{"rendered":"https:\/\/youzum.net\/perplexity-open-sources-bumblebee-a-read-only-supply-chain-scanner-for-developer-endpoints\/"},"modified":"2026-05-23T16:57:44","modified_gmt":"2026-05-23T16:57:44","slug":"perplexity-open-sources-bumblebee-a-read-only-supply-chain-scanner-for-developer-endpoints","status":"publish","type":"post","link":"https:\/\/youzum.net\/de\/perplexity-open-sources-bumblebee-a-read-only-supply-chain-scanner-for-developer-endpoints\/","title":{"rendered":"Perplexity Open-Sources Bumblebee: A Read-Only Supply-Chain Scanner for Developer Endpoints"},"content":{"rendered":"

Attackers increasingly target the packages, editor extensions, and AI tool configs on developer machines and not just production systems. Perplexity has open-sourced an internal tool it uses to address this problem.<\/p>\n

Perplexity released Bumblebee on GitHub<\/a>. The tool is a read-only inventory collector for macOS and Linux developer endpoints. It is written entirely in Go and carries zero non-stdlib dependencies. Perplexity already uses it internally to protect developer systems behind its search product, Comet browser, and Computer agent.<\/p>\n

Problem that Bumblebee Solves<\/strong><\/h2>\n

If you are a software engineer or data scientist, you likely have dozens of packages installed locally. You have editor extensions, browser add-ons, and possibly MCP (Model Context Protocol) configs on your machine. When a new vulnerability surfaces, your security team faces one urgent question: which developer machines are exposed right now?<\/p>\n

Existing tools do not fully answer this. SBOMs (Software Bills of Materials) and vulnerability scanners cover build artifacts and repositories. EDR (Endpoint Detection and Response) products track what processes ran or touched the network. Neither checks local developer state \u2014 lockfiles, package metadata, extension manifests, and AI tool configs scattered across a laptop\u2019s filesystem.<\/p>\n

Bumblebee fills that gap. When an advisory names a package, extension, or version, it answers which machines show a match in their on-disk metadata right now. The ecosystem scope was also deliberate: the covered ecosystems map to recent active supply-chain campaigns, including the Mini Shai-Hulud series, which hit npm, PyPI, RubyGems, Go modules, and Composer packages across companies including TanStack, SAP, and Zapier.<\/p>\n

How Bumblebee Works<\/strong><\/h2>\n

Bumblebee is a one-shot scanner. Each invocation performs a single scan and exits. Cadence is the operator\u2019s responsibility \u2014 cron, launchd, systemd, or MDM fleet tooling. It outputs structured records as NDJSON (newline-delimited JSON), one per line, with diagnostics going to stderr.<\/p>\n

The tool supports three scan profiles. The baseline<\/code> profile scans common global and user package roots, language toolchains, editor extensions, browser extensions, and MCP configs. The project<\/code> profile targets configured development directories such as ~\/code<\/code> or ~\/src<\/code>. The deep<\/code> profile sweeps operator-supplied roots, typically a bare home directory during an active incident.<\/p>\n

Internally, Perplexity uses Bumblebee inside a five-step workflow. A threat signal arrives from public disclosures or third-party intel feeds. Perplexity Computer then drafts a catalog update, entering the signal as a structured entry with ecosystem, package name, and version \u2014 and opens a GitHub PR with source links. A human dev reviews and merges the PR. Bumblebee then runs on endpoints with the updated catalog, and findings are shared with the security team.<\/p>\n

\n
\"\"
Image source: https:\/\/www.perplexity.ai\/hub\/blog\/perplexity-is-open-sourcing-bumblebee<\/figcaption><\/figure>\n<\/div>\n

What Bumblebee Scans<\/strong><\/h2>\n

Bumblebee covers four surface areas that existing tools typically handle separately.<\/strong><\/p>\n

For language package managers, it reads from npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer. It reads lockfiles and installed package metadata directly \u2014 sources like package-lock.json<\/code>, pnpm-lock.yaml<\/code>, go.sum<\/code>, and *.dist-info\/METADATA<\/code>. Note that bun.lockb<\/code>, Bun\u2019s binary lockfile format, is not parsed in v0.1; only the text bun.lock<\/code> format is supported.<\/p>\n

For AI agent configs, Bumblebee reads MCP JSON host configuration files: mcp.json<\/code>, .mcp.json<\/code>, claude_desktop_config.json<\/code>, mcp_config.json<\/code>, mcp_settings.json<\/code>, cline_mcp_settings.json<\/code>, and ~\/.gemini\/settings.json<\/code> for Gemini CLI. Non-JSON MCP configs such as Codex config.toml<\/code> and Continue YAML are not parsed in v0.1. It parses these files for server inventory but does not emit environment values or environment key names found in env<\/code> blocks.<\/p>\n

For editor extensions, it reads manifests from VS Code, Cursor, Windsurf, and VSCodium. For browser extensions, it covers Chromium-family browsers \u2014 Chrome, Comet, Edge, Brave, and Arc \u2014 plus Firefox.<\/p>\n

Why Read-Only<\/strong><\/h2>\n

npm packages can carry postinstall<\/code> scripts that execute automatically on npm install<\/code>. A scanner that invokes npm to check exposure has already triggered the attack it was looking for. Bumblebee avoids this entirely by never running install scripts or lifecycle hooks, never invoking npm, pnpm, bun, or pip, never reading application source files, and performing no process or network monitoring. It is not an EDR.<\/p>\n

Output and Exposure Catalog<\/strong><\/h2>\n

Each package record includes the hostname, OS, architecture, ecosystem, package name, version, source file, and a confidence<\/code> field. Confidence is high<\/code> when exact identity and version came from canonical metadata, medium<\/code> when identity is reliable but version or source is partial, and low<\/code> when only a config path or spec reference is found.<\/p>\n

Security teams supply their own exposure catalogs \u2014 simple JSON files specifying ecosystem, package name, and affected versions. When Bumblebee finds a match, it emits a finding record including severity, catalog ID, and evidence. Each finding is fully traceable back to which catalog entry triggered it. The repo also includes a threat_intel\/<\/code> directory with maintained exposure catalogs built from public supply-chain campaign reporting.<\/p>\n

Getting Started<\/strong><\/h2>\n

Bumblebee requires Go 1.25 or later. Install with:<\/strong><\/p>\n

\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
go install github.com\/perplexityai\/bumblebee\/cmd\/bumblebee@latest<\/code><\/pre>\n<\/div>\n<\/div>\n
After install, bumblebee selftest<\/code> verifies the binary works correctly against embedded fixtures. The tool is licensed under Apache License 2.0. The current release is v0.1.1.<\/p>\n
Key Takeaways<\/strong><\/h2>\n