Bumblebee: The Read-Only Sentinel for Developer Endpoint Security
Overview
Bumblebee, an open-source project developed by Perplexity AI, emerges as a specialized tool designed to address this specific need.
S
Saiyp Editorial
Jun 06, 2026
In the ever-evolving landscape of software supply-chain security, the ability to rapidly assess exposure to known threats is paramount. Bumblebee, an open-source project developed by Perplexity AI, emerges as a specialized tool designed to address this specific need. Unlike traditional scanners that focus on what has been shipped (SBOMs) or what is running (EDR), Bumblebee provides a unique lens into the "messy local state" of a developer's machine.
The Problem: Gaps in Supply-Chain Visibility
When a new advisory is published—naming a compromised package, extension, or version—security teams need to move fast. Standard SBOMs (Software Bill of Materials) are excellent for tracking deployed artifacts but often fail to capture the transient dependencies, browser extensions, or misconfigurations present in a developer's local environment. This gap is where Bumblebee operates.
What is Bumblebee?
Bumblebee is a read-only inventory collector tailored for macOS and Linux developer endpoints. Written in Go (1.25+), it is distributed as a single static binary with zero non-stdlib dependencies, making it lightweight and easy to deploy.
Its primary function is to answer a narrow but critical question:
"When an advisory names a package, extension, or version, which developer machines show a match in their on-disk metadata right now?"
Key Features and Capabilities
Bumblebee distinguishes itself through its focused scope and non-intrusive methodology:
- No Execution, No Risk: Bumblebee does not execute package managers (like
npm lsorpip show) nor does it read source code files. Instead, it parses static metadata files such as lockfiles (package-lock.json,pnpm-lock.yaml,go.sum), package manager install receipts, extension manifests (VS Code, Chrome, Firefox), and MCP (Model Context Protocol) configurations. - Three Scan Profiles: It offers flexibility through different scanning intensities:
baseline: For recurring, lightweight inventory of global tools, editors, and browsers.project: For scanning configured development directories (e.g.,~/code).deep: For on-demand, broad-scope investigations (e.g., scanning$HOME) often used during incident response.
- Exposure Detection: By leveraging an Exposure Catalog (a JSON file containing known malicious packages), Bumblebee can flag exact matches on disk. This allows for "fast, read-only exposure checks" when responders already know what they are looking for.
- Structured Output: The tool outputs data in NDJSON (Newline Delimited JSON) format, making it easy to parse and integrate into Security Orchestration, Automation, and Response (SOAR) platforms or data lakes.
Broad Ecosystem Coverage
Bumblebee supports a wide range of ecosystems and tools commonly found in modern development workflows:
表格
| Ecosystem / Category | Coverage Details |
|---|---|
| Package Managers | npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer |
| AI/Dev Tools | MCP configs (Claude, Gemini, etc.), Agent Skills (skills.sh) |
| Extensions | VS Code, Cursor, Browser extensions (Chromium & Firefox) |
| System Tools | Homebrew (macOS) |
How to Use Bumblebee
Getting started with Bumblebee is straightforward for developers and security engineers:
- Installation: It can be installed via
go install:bash编辑go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest - Inventory Scan: Perform a baseline scan of the system:
bash编辑
bumblebee scan --profile baseline > inventory.ndjson - Exposure Check: During an incident, use the
deepprofile with an exposure catalog to find specific threats:bash编辑bumblebee scan --profile deep \ --root "$HOME" \ --exposure-catalog ./malicious-packages.json \ --findings-only
Conclusion
Bumblebee fills a critical niche in the security toolkit. It is not a replacement for SBOM generation or runtime EDR solutions; rather, it is a complementary asset for supply-chain response. By converting scattered on-disk state into structured, queryable data, Bumblebee empowers organizations to quickly identify and mitigate risks lurking in the development environment. Its read-only nature ensures safety during operation, while its support for modern AI tooling (like MCP and Agent Skills) makes it highly relevant in today's AI-augmented development landscape.
For more information, documentation, and to access the latest releases, visit the Bumblebee GitHub repository.