Perplexity Open-Sources Bumblebee: A Read-Only Provisioning Scanner for Developer Endpoints

Attackers are increasingly targeting packages, editor extensions, and configurations of AI tools on developer machines and not just production systems. Confusion has opened the source of an internal tool that it uses to fix this problem.

Perplexity has released Bumblebee on GitHub. The tool is a read-only inventory collector for macOS and Linux endpoints for developers. It is written entirely in Go and has zero non-stdlib dependencies. Perplexity already uses it internally to secure the developer programs behind its search product, Comet browser, and Computer agent.

A problem that Bumblebee solves

If you are a software engineer or data scientist, you probably have many packages installed in the environment. You have editor extensions, browser add-ons, and MCP (Model Context Protocol) settings on your machine. When a new vulnerability emerges, your security team is faced with one pressing question: what developer tools are currently exposed?

Existing tools do not fully address this. SBOMs (Software Bills of Materials) and vulnerability scans cover artifacts and repositories. EDR (Endpoint Detection and Response) products track what processes have run or affected the network. No one checks the state of the local developer – lock files, package metadata, extension displays, and AI tool settings are scattered across the laptop's file system.

Bumblebee fills that gap. When the hint names a package, extension, or version, it answers which machines show a match in their metadata on disk right now. The scope of the ecosystem is also deliberate: an integrated ecosystem map of the latest active procurement campaigns, including the Mini Shai-Hulud series, which covers npm, PyPI, RubyGems, Go modules, and developer packages from companies including TanStack, SAP, and Zapier.

How Bumblebee works

Bumblebee is a single image scanner. Each application performs one scan and exits. Cadence is a user responsibility – cron, launched, systemd, or MDM ships tool. Outputs structured records as NDJSON (newline-delimited JSON), one per line, of diagnostics to stderr.

The tool supports three scanning profiles. I baseline profiler scans common user package roots, language tool dialogs, editor extensions, browser extensions, and MCP configurations. I project The target profile is set up for the development of documents such as ~/code or ~/src. I deep The profiler sweeps the operator-provided root, usually the empty home directory during a running instance.

Internally, Perplexity uses Bumblebee within a five-step workflow. The threat signal comes from a public disclosure or third party intel feed. Perplexity Computer then writes a catalog update, flags it as an entry organized by ecosystem, package name, and version – and opens a GitHub PR with source links. A dev person reviews and compiles the PR. Bumblebee then runs through the repositories with the updated catalog, and the findings are shared with the security team.

What Bumblebee Scans

Bumblebee includes four surface areas that existing tools usually handle separately.

For language package managers, it reads from npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer. It reads the lock files and metadata of the installed package directly – sources such as package-lock.json, pnpm-lock.yaml, go.sumagain *.dist-info/METADATA. note that bun.lockbBun binary lock file format, uncomparable from v0.1; text only bun.lock format is supported.

With the AI ​​agent configuration, Bumblebee reads MCP JSON host configuration files: mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.jsonagain ~/.gemini/settings.json for Gemini CLI. Non-JSON MCP configures like Codex config.toml and Continue YAML was not ported to v0.1. It will parse these files from the server directory but not extract the values ​​of the environment or keywords of the location they are found in env blocks.

For editor extensions, read from VS Code, Cursor, Windsurf, and VSCodium. In browser extensions, it includes the Chromium family of browsers – Chrome, Comet, Edge, Brave, and Arc – and Firefox.

Why Study Only

npm packages can carry postinstall automatic scripts are enabled npm install. The scanner that asks npm to check for exposure has already launched the attack we were looking for. Bumblebee avoids this entirely by not using install scripts or lifecycle hooks, never calling npm, pnpm, bun, or pip, never reading application source files, and never performing process or network monitoring. It is not EDR.

Catalog of output and display

Each package record includes host name, OS, architecture, ecosystem, package name, version, source file, and confidence field. Confidence high where identity and version appear in canonical metadata, medium where the authorship is reliable but the version or source is partial, too low where only a fix method or specific reference is found.

Security groups provide their own manifest catalogs — simple JSON files that specify the ecosystem, package name, and affected versions. When Bumblebee finds a match, it outputs a found record that includes the intensity, catalog ID, and proof. Each find is fully traceable after cataloging has begun. The repo includes a threat_intel/ a directory that catalogs exposures created from public procurement campaign reporting.

Getting started

Bumblebee requires Go 1.25 or later. Enter with:

go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest

After installing, bumblebee selftest ensures correct binary operation against embedded structures. The tool is licensed under the Apache License 2.0. The current release is v0.1.1.

Key Takeaways

• Bumblebee is Perplexity's open source developer endpoint scanner for supply chain exposure testing.
• Includes npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, MCP configuration, editor extensions, and browser extensions.
• Three scanning profiles – baseline, projectagain deep – Support routine inventory and active incident response.
• The tool never uses script installation or invokes package managers, preventing attacks triggered by scanning.
• Built into Go with zero non-stdlib dependencies; is available now on GitHub under Apache 2.0.

Check it out GitHub Repo again Technical details. Also, feel free to follow us Twitter and don't forget to join our 150k+ ML SubReddit and Subscribe to Our newspaper. Wait! are you on telegram? now you can join us on telegram too.

Need to work with us on developing your GitHub Repo OR Hug Face Page OR Product Release OR Webinar etc.? contact us