Perplexity Bumblebee scans developer endpoints for supply-chain risk

What this is about

Perplexity has released Bumblebee, an internal security tool, as open source. It does not look for live attacks. It scans developer laptops and workstations for traces of known risky packages, browser extensions, editor extensions and MCP configuration files on disk.

That matters because many supply-chain attacks now reach developer environments first. If a team needs to know whether a specific npm, PyPI or Go package exists somewhere in the fleet, classic SBOMs often show only what shipped, not the messy local state on developer machines.

What Bumblebee actually does

Bumblebee is a read-only scanner for macOS and Linux. According to the GitHub README, it is written in Go, ships as a static binary and has no external Go dependencies. It does not execute package managers, does not read application source files and does not monitor processes or network traffic.

Instead, it reads metadata: lockfiles such as package-lock.json, pnpm-lock.yaml, go.sum and Gemfile.lock, installed package metadata, manifests from VS Code, Cursor, Windsurf and VSCodium extensions, browser extensions and JSON-based MCP host configurations. It emits NDJSON. With an exposure catalog, Bumblebee can report exact matches when an advisory names a package, extension or version.

Why it matters

This moves the security problem closer to the people writing code. After Shai-Hulud-style campaigns against package ecosystems, the question is no longer only what was built in the final artifact. It is also which local tools, plugins and agent configurations a developer currently has installed.

For companies using AI coding tools, the MCP coverage is especially notable. Bumblebee reads supported MCP JSON configurations, while the project says it does not emit environment values or secret names. That is not full protection, but it is a useful inventory layer: security teams can more quickly check whether a known compromised component is present on developer endpoints.

In plain language

Imagine a large restaurant kitchen. Normal quality control checks which meals were served. Bumblebee also checks the cooks' pantry: which ingredients are on the shelves, which labels are on the jars, and whether a recalled batch is present anywhere. It does not cook anything and does not open private notebooks; it reads the labels.

A practical example

A security team receives an advisory at 09:00: a specific Cursor extension version and an npm package are considered compromised. In a company with 480 developer machines, Bumblebee runs every six hours in baseline mode. At 09:20, the team sees 37 matches: 29 machines with the npm package in project directories and 8 with the extension. Instead of blocking every developer, the team can notify the affected people, check network risk and prioritize the relevant repositories.

Scope and limits

• Bumblebee is not an EDR and does not detect a live attack. It answers whether known artifacts exist on disk.
• Its value depends on the exposure catalog. If an advisory is vague or an ecosystem is not covered, visibility remains incomplete.
• Version 0.1 does not read every format. Non-JSON MCP configs such as Codex config.toml or Continue YAML are not covered in the first release.

SEO & GEO keywords

Perplexity Bumblebee, supply-chain security, developer endpoint scanner, MCP security, npm security, PyPI security, Cursor extensions, VS Code extensions, AI coding security, software supply chain, open source security