AI Native Landscape

Bumblebee

Tracked

Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.

Author Perplexity AI Open Sourced 2026-05-20 Last Commit Unknown

Overview

Bumblebee is a read-only inventory collector for package, extension, and developer-tool metadata on macOS and Linux developer endpoints. It answers a narrow supply-chain response question: when an advisory names a package, extension, or version, which developer machines show a match in their on-disk metadata right now?

Key Features

  • Single static binary, zero non-stdlib dependencies (Go 1.25+)
  • Three scan profiles (baseline, project, deep) for different populations and cadences
  • Structured NDJSON output with optional exposure catalog matching
  • Covers npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer, MCP configs, editor and browser extensions, Homebrew

Use Cases

  • Supply-chain incident response: quickly identify which developer endpoints are exposed to a compromised package
  • Continuous developer endpoint inventory for security and compliance
  • MCP host configuration auditing across AI coding tools

Technical Details

  • Read-only scanning of lockfiles, package-manager metadata, extension manifests, and MCP JSON configs
  • No package manager execution or source-file reads
  • Supports exposure catalog matching for fast, targeted checks
  • Per-ecosystem coverage with structured ecosystem identifiers