๐Ÿ 

Bumblebee: Securing Devs ๐Ÿ›ก๏ธ๐Ÿš€ - Critical Open Source

May 23, 2026 | Author

Tech

English flag
French flag
German flag
Spanish flag
๐Ÿ›’ Shop on Amazon

๐Ÿง Quick Intel


  • Perplexity has open-sourced Bumblebee, a read-only inventory collector for macOS and Linux developer endpoints, to address vulnerabilities in developer systems.
  • Bumblebee checks local developer state โ€“ including lockfiles, package metadata, and AI tool configs โ€“ to identify exposed developer machines, unlike existing tools.
  • The ecosystem scope of Bumblebee maps to recent active supply-chain campaigns, such as the Mini Shai-Hulud series, impacting packages across npm, PyPI, Go modules, and Composer.
  • Bumblebee utilizes three scan profiles: baseline, project, and deep, to scan common package roots, development directories, and bare home directories.
  • The tool performs a single scan and outputs structured records as NDJSON, with diagnostics going to stderr, and cadence determined by operator tooling (cron, launchd, systemd, MDM).
  • Bumblebee covers four surface areas: language package managers (npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer), AI agent configs (MCP JSON files), editor extensions (VS Code, Cursor, Windsurf, VSCodium), and browser extensions (Chrome, Comet, Edge, Brave, Arc, Firefox).
  • Bumblebee avoids running install scripts or lifecycle hooks, never invoking npm, pnpm, bun, or pip, ensuring it is not classified as an EDR.
  • Each package record includes hostname, OS, architecture, ecosystem, package name, version, source file, and a confidence level based on metadata matching.

    • ๐Ÿ“Summary


    Perplexity has developed Bumblebee, an open-source tool for macOS and Linux, designed to identify developer endpoints vulnerable to supply-chain attacks. The tool, written in Go, performs a single scan, checking for exposed package metadata, extension manifests, and AI tool configurations. It addresses a critical gap in security by mapping to recent campaigns like Mini Shai-Hulud, impacting platforms such as TanStack, SAP, and Zapier. Bumblebee operates through a five-step workflow, triggered by threat intelligence, and outputs structured records detailing findings, categorized by language package managers, AI agent configurations, editor extensions, and browser extensions. The system prioritizes security by avoiding the execution of install scripts or network monitoring, offering a targeted approach to vulnerability detection, and provides traceable evidence for security teams.

    ๐Ÿ’กInsights

    โ–ผ


    CHAPTER 1: THE GROWING THREAT TO LOCAL DEVELOPER ENVIRONMENTS
    Developers increasingly face a significant security risk due to the proliferation of packages, editor extensions, and AI tool configurations on their local machines. These tools, often overlooked by traditional security measures, have become a prime target for attackers seeking to exploit vulnerabilities.

    CHAPTER 2: BUMBLEBEE: A READ-ONLY INVENTORY COLLECTOR
    Perplexity has developed Bumblebee, a novel tool designed to address this critical gap in security monitoring. This open-sourced Go application acts as a read-only inventory collector for macOS and Linux developer endpoints, providing a granular view of installed software. Its design emphasizes zero non-stdlib dependencies for enhanced security and efficiency.

    CHAPTER 3: FUNCTIONALITY AND SCAN PROFILES
    Bumblebee operates as a one-shot scanner, performing a single scan and exiting, managed through a configurable cadence โ€“ cron, launchd, systemd, or MDM fleet tooling. It outputs structured records in NDJSON format, offering detailed diagnostics to the security team. The tool features three scan profiles: a baseline, a project, and a deep scan, allowing for tailored vulnerability assessments.

    CHAPTER 4: DETAILED SCANNING CAPABILITIES
    Bumblebee comprehensively scans four key areas: language package managers (npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer), AI agent configs (MCP JSON files, Gemini CLI configs), editor extensions (VS Code, Cursor, Windsurf, VSCodium, Chromium-family browsers), and browser extensions (Chrome, Comet, Edge, Brave, Arc, Firefox). Crucially, it avoids running install scripts or invoking package managers to prevent triggering potential attacks.

    CHAPTER 5: DATA COLLECTION AND REPORTING
    Each package record generated by Bumblebee includes vital information such as the hostname, OS, architecture, ecosystem, package name, version, source file, and a confidence level, determined by the accuracy of the metadata. Findings are fully traceable, linking back to the originating catalog entry, and provide severity, catalog ID, and evidence. Exposure catalogs, including threat-intel directories, are maintained for proactive monitoring.

    Related Articles