When a new software supply-chain vulnerability is announced, security teams face a major challenge: how to quickly check if any developer's local machine is compromised.
Developers install thousands of packages, VS Code extensions, and third-party tools weekly. In the era of AI coding agents, they are also frequently installing Model Context Protocol (MCP) servers to give AI models access to local databases and files. If one of these components is compromised, it could act as a backdoor to the company's network.
Bumblebee is a new open-source tool developed by Perplexity AI to address this specific security gap. It is a read-only endpoint scanner that audits local developer configurations without executing untrusted code.
Bumblebee is a static analyzer that collects metadata from package managers, IDE extensions, and browser tools on macOS and Linux workstations. Unlike traditional vulnerability scanners, Bumblebee does not run code or trigger build tools. It strictly reads on-disk configuration files, turning them into structured records to compare against known vulnerability databases.
Many vulnerability scanners run package managers like npm or pip, which can execute malicious code hiding in package "post-install" scripts. Bumblebee strictly reads text metadata and configuration files, meaning it carries zero risk of executing hidden malware.
With AI coding assistants (like Claude Code) rising in popularity, developers are configuring MCP servers locally. Bumblebee specifically catalogs MCP configurations and IDE extensions (like Cursor and VS Code) to ensure no compromised plugins are active.
Bumblebee inventories configurations across a wide variety of development ecosystems, including:
Written in Go, Bumblebee compiles into a single static binary with zero external dependencies. It can be easily distributed via MDM (Mobile Device Management) tools to run routine security checks across all developer laptops in an organization.
Because Bumblebee is a single binary, you can download it from the project's release page and run a scan on your local machine instantly.
The tool outputs findings in structured Newline-Delimited JSON (NDJSON), making it simple to feed the audit logs into existing security and log monitoring dashboards (SIEMs).
As software supply chains grow more complex and AI assistants introduce new local configurations, auditing developer machines is becoming a top priority. Perplexity AI's Bumblebee provides security teams with a fast, non-intrusive, and completely safe way to keep developer workspaces secure.
Want to audit your machine? Check out the Bumblebee GitHub Repository.