covelab
← All news
Source: MarkTechPost (marktechpost.com) AI Summary

Perplexity Open-Sources Bumblebee: A Security Scanner for Developer Endpoints

Perplexity released Bumblebee, a free open-source read-only scanner for developer machines. Written in Go with zero external dependencies, it inventories local packages, editor extensions, and AI tool configs to identify exposure when a new supply-chain vulnerability surfaces.

AI Disclosure: This article was generated with AI assistance from publicly available sources. Human review applied before publication.

When a new supply-chain vulnerability gets named, the urgent question isn’t whether production is patched. It’s which developer machines are exposed right now.

That gap is where most existing security tooling falls short. SBOMs and vulnerability scanners cover build artifacts and repositories. EDR products track what processes ran or touched the network. Neither checks local developer state — the lockfiles, package metadata, editor extensions, browser add-ons, and AI tool configs scattered across a developer’s laptop.

Perplexity built a tool to fill that gap internally, and this week they published it on GitHub. Bumblebee is a read-only inventory collector for macOS and Linux developer endpoints. It’s written entirely in Go with zero non-stdlib dependencies. Run it, and it outputs a structured NDJSON snapshot of what’s installed: packages from npm, PyPI, RubyGems, Go modules, and Composer; editor extensions; browser add-ons; and MCP (Model Context Protocol) configs.

The covered ecosystems weren’t chosen arbitrarily. According to the MarkTechPost article, they map to the Mini Shai-Hulud supply-chain campaign series — a set of attacks that hit packages across TanStack, SAP, and Zapier.

Bumblebee doesn’t run as a persistent agent. Each invocation scans and exits. Scheduling is the operator’s responsibility — cron, launchd, or whatever else fits the setup. Perplexity uses it internally to monitor developer systems behind their search product, Comet browser, and Computer agent.

Why this matters for solo founders: Most security tools assume you have a team to manage them. A zero-dependency, read-only scanner that runs from cron is realistic for a one-person setup. The MCP config scanning is a detail worth noting — if you’re building with AI tooling locally, that attack surface mostly goes unmonitored by standard tools.

Source: Perplexity Open-Sources Bumblebee: A Read-Only Supply-Chain Scanner for Developer Endpoints — MarkTechPost, May 23, 2026.

AI-assisted summary. All claims based solely on the linked source. ai_generated: true.