Bumblebee: Perplexity’s Open-Source Scanner for Developer Supply Chain Threats

Perplexity AI — the search company — open-sourced a developer security tool on May 22. Not an AI feature. A read-only supply chain scanner called Bumblebee, written in Go, zero dependencies, Apache 2.0. The timing is not a coincidence: supply chain attacks targeting developer machines are up 60% this year, and attackers have figured out that your laptop is more valuable than your production servers.

The reason Bumblebee is worth your attention comes down to one thing existing tools miss: it scans your MCP configuration files. Those are the local JSON files that tell Claude Desktop, Cursor, and Gemini CLI which external services they’re allowed to connect to. A poisoned MCP config doesn’t just compromise your environment — it turns your AI assistant into an agent that silently leaks credentials or runs unauthorized commands. No other general-purpose scanner covers this surface. Bumblebee does.

Why Developer Machines Are Now the Primary Target

The math is simple. A developer machine concentrates everything an attacker wants: SSH keys, API tokens, .env files, cloud credentials, shell history, and now — the configs that grant your AI tooling access to email, calendars, and production databases. Sonatype identified 21,764 open source malware packages in Q1 2026 alone, with 75% targeting npm. The self-propagating Shai-Hulud worm compromised 500+ packages in days. Supply chain attacks now hit npm, PyPI, and Crates.io simultaneously — and developer machines are the soft landing zone.

The March 2026 ContextCrush incident made the MCP risk concrete: a tampered MCP server config can deliver attacker-controlled instructions directly into an AI agent’s working memory, letting it exfiltrate credentials or invoke tools in the background without any visible indication. MCP tool poisoning has already forced Microsoft to release an emergency .NET fix. Most security tooling was built before AI assistants became standard developer infrastructure. Nobody was watching the MCP configs.

What Bumblebee Actually Does

Bumblebee is a read-only scanner for on-disk developer state. It covers npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, IDE extensions (VS Code, JetBrains), browser extensions, and MCP configuration files. It outputs structured NDJSON to stdout — one record per line — which pipes cleanly to any SIEM, dashboard, or incident response tool.

The critical design decision: Bumblebee never runs npm, pip, or any package manager command. It never executes install scripts or lifecycle hooks. It reads only lockfiles, manifests, and installed package metadata directly from disk. This matters because some supply chain attack payloads hide in preinstall and postinstall hooks — running the package manager to audit it can trigger the attack. Bumblebee sidesteps this by operating below the package manager layer.

Three Profiles for Different Situations

Bumblebee ships with three scan profiles:

• baseline — Daily inventory scan covering all package roots, language toolchains, editor extensions, browser extensions, and MCP configs. Run this on a schedule.
• project — Targeted sweep of configured development directories like ~/code or ~/src. Useful for auditing a specific project environment.
• deep — Active incident response. Sweeps operator-supplied roots against an exposure catalog. Built for the “we just heard about a supply chain hit — who is exposed?” scenario.

Getting started takes two commands:

go install github.com/perplexityai/bumblebee/cmd/bumblebee@v0.1.1
bumblebee scan --profile baseline > inventory.ndjson

For incident response with a CVE catalog:

bumblebee scan --profile deep \
  --root "$HOME" \
  --exposure-catalog ./catalog.json \
  --max-duration 10m

Exposure catalogs are JSON files listing known-bad packages for exact-match detection. Bumblebee doesn’t ship with a continuously-updated advisory feed baked in — you maintain the catalog yourself, or tie it to a source like the Sonatype advisory database or GitHub Advisory Database. That’s the one genuine limitation worth knowing going in.

The Bigger Signal

Perplexity is an AI company. They’re not in the security business. The fact that they built and open-sourced a tool specifically to protect developers using AI tooling — and made MCP config scanning a first-class feature — signals something worth noting: the AI industry is beginning to reckon with the security implications of the infrastructure it’s created.

The MCP ecosystem is expanding fast. WebMCP landed in Chrome 149, making any website a potential AI agent tool. The Hacker News thread on Bumblebee’s launch included a comment that’s hard to argue with: “Finally, something that scans MCP configs. I’ve been saying for months that nobody’s watching that surface.”

That surface is only going to grow. Running Bumblebee now — especially the MCP config portion — is the kind of five-minute check that’s easy to skip and painful to have skipped. The official announcement has the full documentation. Windows support is still pending; macOS and Linux are covered today.