Bumblebee: Perplexity's Read-Only Supply Chain Scanner with 4.8k+ GitHub Stars

Supply-chain attacks have become the new frontier of software security. Rather than targeting production systems directly, attackers now compromise the developer machines that build them—through malicious npm packages, poisoned browser extensions, and compromised MCP (Model Context Protocol) servers. Perplexity AI just open-sourced Bumblebee, a read-only scanner that answers the question every security team dreads: which developer machines have this vulnerable package installed right now? With 4.8k+ GitHub stars and active development (latest commit June 25, 2026), Bumblebee is rapidly becoming the standard for supply-chain endpoint inventory.

What is Bumblebee?

Bumblebee is a read-only inventory collector for macOS and Linux developer endpoints, built by Perplexity AI to detect exposure to known software supply-chain compromises. Unlike traditional security tools that focus on build artifacts (SBOMs) or runtime behavior (EDR), Bumblebee fills a critical gap: it scans the scattered on-disk state of developer machines—lockfiles, package metadata, extension manifests, and AI tool configurations—to answer one precise question: does this machine have a specific package, version, extension, or MCP configuration that matches a known threat?

The tool was born from internal necessity. Perplexity uses it to protect the developer systems behind Perplexity Search, Comet browser, and Computer agent. When a supply-chain advisory lands, Bumblebee runs on endpoints with an updated threat catalog and flags exact matches in seconds. The read-only design is intentional: it never executes install scripts, never invokes package managers, and never reads application source code—preventing the scanner itself from becoming the attack vector.

Bumblebee is written entirely in Go 1.25+ with zero non-standard library dependencies. This minimalist architecture makes it lightweight, auditable, and safe to deploy across fleet infrastructure without worrying about hidden supply-chain risk in the scanner itself.

Core Features and Architecture

1. Multi-Ecosystem Coverage

Bumblebee covers eight language package managers in a single scan: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer. It reads metadata directly from lockfiles and installed package metadata—`package-lock.json`, `pnpm-lock.yaml`, `go.sum`, `*.dist-info/METADATA`—without invoking the package managers themselves. This is critical: npm packages can carry postinstall scripts that execute automatically on install. A scanner that runs `npm install` to check for exposure has already triggered the attack it was looking for.

2. AI Agent Configuration Scanning

Bumblebee reads MCP JSON host configuration files: `mcp.json`, `.mcp.json`, `claude_desktop_config.json`, `mcp_config.json`, `mcp_settings.json`, `cline_mcp_settings.json`, and `~/.gemini/settings.json` for Gemini CLI. It parses these files for server inventory but does not emit environment values or credentials found in `env` blocks—a deliberate privacy guard. Non-JSON MCP configs (Codex `config.toml`, Continue YAML) are not yet supported in v0.1.

3. Editor and Browser Extension Inventory

For editor extensions, Bumblebee reads manifests from VS Code, Cursor, Windsurf, and VSCodium. For browser extensions, it covers Chromium-family browsers (Chrome, Comet, Edge, Brave, Arc) and Firefox. This matters because recent supply-chain campaigns have targeted editor extensions as a vector into developer machines.

4. Three Scan Profiles for Different Workflows

Baseline profile: Routine scan of standard laptop locations—global and user package roots, language toolchains, editor extensions, browser extensions, and MCP configs. Teams schedule this through MDM or fleet tooling on a regular cadence.

Project profile: Targeted scan of specific development directories like `~/code` or `~/src`. Useful for checking specific workspaces or repositories.

Deep profile: Response sweep for active incidents. Accepts explicit `--root` paths, including broad roots like `$HOME`. Only the deep profile allows bare-home scans.

5. Structured NDJSON Output with Confidence Levels

Bumblebee outputs newline-delimited JSON (NDJSON), one record per line. Each package record includes hostname, OS, architecture, ecosystem, package name, version, source file, and a `confidence` field. Confidence is `high` when exact identity and version came from canonical metadata, `medium` when identity is reliable but version or source is partial, and `low` when only a config path or spec reference is found. This lets security teams distinguish between definite exposures and uncertain matches.

6. Exposure Catalog Matching

Security teams supply their own exposure catalogs—simple JSON files specifying ecosystem, package name, and affected versions. When Bumblebee finds a match, it emits a finding record including severity, catalog ID, and evidence. Each finding is fully traceable back to which catalog entry triggered it. The repo includes a `threat_intel/` directory with maintained exposure catalogs built from public supply-chain campaign reporting, including the Mini Shai-Hulud series that hit npm, PyPI, RubyGems, Go modules, and Composer packages across companies including TanStack, SAP, and Zapier.

Get free AI agent insights weekly

Join our community of builders exploring the latest in AI agents, frameworks, and automation tools.

Join Free

Getting Started

Bumblebee requires Go 1.25 or later. Installation is straightforward:

go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest

Or pin a specific version:

go install github.com/perplexityai/bumblebee/cmd/bumblebee@v0.1.2

After installing, run the built-in self-test to verify the binary works:

bumblebee selftest
# selftest OK (2 findings in 1ms)

The fixtures are embedded in the binary, use deliberately fake package names, and make no network calls. A non-zero exit means the local install can no longer detect what it should—a fast pre-deployment smoke test for fleet rollouts.

To build from source:

git clone https://github.com/perplexityai/bumblebee.git
cd bumblebee
go build -o bumblebee ./cmd/bumblebee
go test ./...

Real-World Use Cases

1. Incident Response at Scale

When a supply-chain advisory lands, security teams need to know immediately which machines are exposed. Bumblebee answers this in seconds. A threat signal arrives from public disclosures or third-party intel feeds. Perplexity Computer drafts a catalog update, entering the signal as a structured entry with ecosystem, package name, and version—and opens a GitHub PR with source links. A human reviews and merges the PR. Bumblebee then runs on endpoints with the updated catalog, and findings are shared with the security team. This workflow scales from 10 machines to 10,000.

2. Continuous Baseline Inventory

Teams can schedule Bumblebee to run daily via cron, launchd, systemd, or MDM fleet tooling. The baseline profile scans standard locations without requiring explicit configuration. Results feed into a central inventory system, giving security teams a living picture of what's installed across the developer fleet.

3. MCP Server Auditing

As MCP adoption accelerates, developers are installing servers from GitHub repositories and community Discords without formal vetting. Bumblebee reads MCP host configs and flags suspicious or known-malicious servers. This is critical because MCP servers have broad access to the developer's environment.

4. Compliance and Audit Trails

Each record carries `scan_time`, `run_id`, `scanner_version`, and endpoint metadata. This creates an auditable trail of what was scanned, when, and by which version of the scanner. Useful for compliance reporting and post-incident forensics.

How It Compares

vs. SBOMs and Vulnerability Scanners: Tools like Syft and Trivy focus on build artifacts and repositories. They answer "what shipped in this container?" Bumblebee answers "what's installed on this developer machine right now?" Complementary, not competitive.

vs. EDR (Endpoint Detection and Response): EDR products like CrowdStrike and Sentinel One track what processes ran and what touched the network. Bumblebee is read-only inventory collection. It does not monitor runtime behavior. EDR catches attacks in progress; Bumblebee catches exposure before the attack runs.

vs. Package Manager Audits: Running `npm audit` or `pip audit` invokes the package manager, which can trigger postinstall scripts. Bumblebee reads lockfiles directly, avoiding this risk entirely. It's also ecosystem-agnostic—one tool covers npm, PyPI, Go, RubyGems, and Composer in a single scan.

What is Next

Bumblebee is currently at v0.1.2 and actively maintained. Recent additions include support for agent-skill scanner for `skills.sh` lock files (June 2, 2026) and expanded threat intelligence catalogs. The roadmap includes support for non-JSON MCP configs (Codex `config.toml`, Continue YAML), binary lockfile formats like `bun.lockb`, and deeper integration with fleet management platforms.

The threat landscape is moving faster than traditional security tools can keep up. Bumblebee represents a shift toward read-only, ecosystem-aware inventory collection that scales across developer fleets. As supply-chain attacks become more sophisticated, having a fast, trustworthy way to answer "do we have this vulnerable package?" is no longer optional—it's essential infrastructure.

Sources