Attackers are increasingly targeting the AI tools, packages, extensions of editors, and AI tool configurations in developer systems, not only production machines. To address this problem, Perplexity released an internal tool.
Released Perplexity Bumblebee on GitHub. It is an inventory collection tool for macOS or Linux developers. The tool is entirely written in Go, and has no non-stdlib dependency. Perplexity uses it already internally to secure the developer systems that are behind its Search product, Comet Browser, and Computer Agent.
Bumblebee Solves Problems
You probably have installed dozens of software packages locally if you’re a data scientist or software engineer. On your computer, you may also have MCP (Model Context Protocol configurations), add-ons for browsers and other editor extensions. If a new security vulnerability is discovered, the first question your team must answer is: what developer machines have been exposed to it?
There are no tools available that can answer the question. The SBOMs are a list of software materials and vulnerabilities. EDR (Endpoint Detection and Response, or EDR) products monitor what programs ran on the network. Neither checks local developer state — lockfiles, package metadata, extension manifests, and AI tool configs scattered across a laptop’s filesystem.
Bumblebee is the solution. The advisory will tell you which computers are currently showing a matching package, version or extension. It was deliberate to cover a wide range of ecosystems: these ecosystems corresponded with recent supply-chain initiatives, such as the Mini Shai-Hulud campaign, which targeted npm and PyPI packages, RubyGems and Go modules across TanStack, SAP and Zapier.
Bumblebee – How it Works
Bumblebee scans only once. The scan is performed once and then the invocation ends. Cadence is the operator’s responsibility — cron, launchd, systemd, or MDM fleet tooling. The output is NDJSON, newline-delimited JSON. Diagnostics are sent to stderr.
It supports up to three scanning profiles. Three scan profiles are supported by the tool. The following are some examples of a baseline The profile scan finds common global package and user packages, as well as language toolchains and extensions for browsers and editors. The You can also find out more about the project on their website. Profile targets can be configured in development directories like ~/code You can also find out more about ~/src. The Deep Operator-provided roots are used to create a profile sweep. This is typically an empty home directory when there’s an incident.
Perplexity’s internal workflow uses Bumblebee in a 5-step process. The threat signals are derived from third-party feeds, or public disclosures. Perplexity Computer then drafts a catalog update, entering the signal as a structured entry with ecosystem, package name, and version — and opens a GitHub PR with source links. An actual developer reviews the PR and merges it. Bumblebee is then run on the endpoints using the new catalog and the findings are reported to the security team.
Bumblebee Scan
Bumblebee can cover four surfaces that are typically handled separately by existing tools.
It reads directly from the lockfiles and installed package metadata — sources like npm or pnpm. It reads lockfiles and installed package metadata directly — sources like package-lock.json, pnpm-lock.yaml, go.sum” *.dist-info/METADATA. Please note that bun.lockbBun’s binary format lockfile is not parsed by v0.1. Only the text bun.lock Format is supported.
Bumblebee uses MCP JSON host files for AI agent configurations: mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.json” ~/.gemini/settings.json Gemini CLI. Codex MCP Configurations that are not JSON-based config.toml v0.1 does not parse Continue YAML. The parser uses these files as server inventory, but doesn’t emit the environment values and environment key names that are found in Env blocks.
It reads the manifests of VS Code, Cursor Windsurf and VSCodium. For browser extensions, it covers Chromium-family browsers — Chrome, Comet, Edge, Brave, and Arc — plus Firefox.
Why only read-only
The npm package can transport Post-install Automatic execution of scripts Install npm. An attack has been launched by a scanner who invokes npm in order to verify exposure. Bumblebee does not do this by running any install scripts, lifecycle hooks or invoking bun, pip or pnpm. It also doesn’t read application source files and performs no network or process monitoring. This isn’t an EDR.
Catalogue of Outputs and Exposures
The package records include the hostname and OS. They also contain information about architectures, ecosystems, package names, versions, and source files. Confidence field. The confidence is High-quality Canonical metadata is used to determine the exact identity of a version. Medium If the source of an identity or version is not reliable, then it is not a complete and accurate identification. Low-cost When only a configuration path or specification reference is found.
Security teams supply their own exposure catalogs — simple JSON files specifying ecosystem, package name, and affected versions. Bumblebee will emit a record of a matching, including the catalog ID, severity and proof. Every finding can be traced back to the catalog entry that triggered it. This repo includes also a threat_intel/ Directory with catalogs of public exposure based on supply chain campaign reports.
Getting Started
Bumblebee requires the Go version 1.25. Install using:
go install github.com/perplexityai/bumblebee/cmd/bumblebee@latestOnce installed, Bumblebees selftest Verifies that the binary is compatible with embedded fixtures. This tool is released under Apache License 2.0. The version number is 0.1.1.
What you need to know
- Bumblebee, Perplexity’s developer-endpoint scanner open-source and read-only for supply chain exposure checks.
- This article covers MCP configurations, editor and browser extensions, RubyGems modules, Go modules (including RubyGems), Composer, Python, RubyGems.
- Three scan profiles —
The following are some examples of a baseline,You can also find out more about the project on their website.”You can also find out more about deep— support routine inventory and active incident response. - It does not run any scripts to install software or call package managers.
- Available on GitHub now, under Apache 2.0. Built in Go without any non-stdlib requirements.
Check out the GitHub Repo The following are some examples of how to get started: Technical details. Also, feel free to follow us on Twitter Join our Facebook group! 150k+ ML SubReddit Subscribe now our Newsletter. Wait! What? now you can join us on telegram as well.
Want to promote your GitHub repo, Hugging Face page, Product release or Webinar?? Connect with us
