Auditing Developer Machines with Perplexity Bumblebee

Better Stackgo watch the original →

Bumblebee is a read-only, open-source scanner that inventories local developer machine metadata—including packages, editor extensions, and AI tool configs—without executing code or triggering package managers.

Local Inventory Without Execution

Bumblebee addresses the visibility gap in developer machine security by providing a read-only scanner that inventories local metadata. Unlike traditional Software Composition Analysis (SCA) tools that often require running package managers (like npm or pip), Bumblebee parses manifest files directly. This approach prevents the accidental execution of malicious install scripts or post-install hooks that might be triggered by standard package manager commands during an incident response.

Usage and Scanning Profiles

Bumblebee is distributed as a single Go binary and outputs data in NDJSON format, making it suitable for piping into jq, SIEMs, or MDM workflows. It supports three distinct scan profiles:

  • Baseline: Scans global and user-level package roots, editor extensions, browser extensions, and Model Context Protocol (MCP) configs for routine inventory.
  • Project: Targets specific workspace directories to analyze lock files within active development folders.
  • Deep: Performs a comprehensive scan across broader filesystem roots, typically used during active incident response with an exposure catalog.

Coverage and Limitations

The tool currently supports major package ecosystems including npm, pnpm, yarn, bun, and Go modules. A notable feature is its ability to parse MCP configuration files, which are increasingly used for local AI agent workflows. The tool is currently optimized for macOS and Linux environments. It is not an Endpoint Detection and Response (EDR) solution; its primary function is to provide a snapshot of installed software and configurations to identify potential exposure to known malicious packages.

  • #dev-tooling
  • #security
  • #supply-chain

summary by google/gemini-3.1-flash-lite. probably wrong about something. check the source.