Perplexity Open-Sources Bumblebee: A Read-Only Supply-Chain Scanner for Developer Endpoints

['In response to the growing threat of attacks on developer machines, Perplexity has open-sourced an internal tool called Bumblebee. This read-only inventory collector is designed for macOS and Linux developer endpoints, and is written entirely in Go with zero non-stdlib dependencies. Perplexity already uses Bumblebee internally to protect developer systems behind its search product, Comet browser, and Computer agent.', 'The need for Bumblebee arises from the fact that attackers are increasingly targeting packages, editor extensions, and AI tool configs on developer machines, rather than just production systems.

For software engineers and data scientists, this means having dozens of packages installed locally, along with editor extensions, browser add-ons, and possibly MCP (Model Context Protocol) configs on their machines. When a new vulnerability surfaces, the security team faces the urgent question of which developer machines are exposed.', "Existing tools do not fully answer this question. SBOMs (Software Bills of Materials) and vulnerability scanners cover build artifacts and repositories, while EDR (Endpoint Detection and Response) products track what processes ran or touched the network.

However, neither checks local developer state — lockfiles, package metadata, extension manifests, and AI tool configs scattered across a laptop's filesystem. Bumblebee fills this gap by providing a one-shot scanner that performs a single scan and exits, with the operator responsible for cadence.", 'Bumblebee supports three scan profiles: baseline, project, and deep. The baseline profile scans common global and user package roots, language toolchains, editor extensions, browser extensions, and MCP configs.

The project profile targets configured development directories, while the deep profile sweeps operator-supplied roots. Internally, Perplexity uses Bumblebee inside a five-step workflow to identify and respond to threat signals. The tool covers four surface areas that existing tools typically handle separately, including language package managers, AI agent configs, editor extensions, and browser extensions.', 'Bumblebee requires Go 1.25 or later and is licensed under Apache License 2.0.

The current release is v0.1.1, and the tool has been made available on GitHub. With Bumblebee, Perplexity aims to provide a solution to the growing threat of attacks on developer machines, and the company encourages developers to check out the GitHub Repo and Technical details for more information.']