Bumblebee Tutorial: Scan Your Dev Machine for Supply Chain Risks
How to install and use Bumblebee, Perplexity's open-source scanner for npm, MCP configs, and extensions. Real commands, scan profiles, and incident response setup.
On this page
Every time a supply chain attack hits, security teams ask: which dev machines have the compromised package installed? SBOMs cover production builds. EDR covers running processes. Neither checks the actual files sitting on a developer's laptop.
Perplexity open-sourced Bumblebee (May 22, 2026) to fill that gap: a small, read-only Go binary that inventories npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer packages, plus MCP configs and editor/browser extensions. No install scripts, no network calls during scanning, no write operations.
DepScan checks a single package.json in the browser; Bumblebee checks your entire machine across 8 ecosystems. The same supply chain principles apply locally, not just in CI.
What Bumblebee Scans
| Category | What it checks | Example paths |
|---|---|---|
| npm/pnpm/Yarn/Bun | Lockfiles and node_modules | ~/.npm, ~/code/**/package-lock.json |
| PyPI | pip installs and virtualenvs | ~/.local/lib/python*, **/venv/ |
| Go modules | go.sum and module cache | ~/go/pkg/mod |
| RubyGems | Gem installs | ~/.gem, **/Gemfile.lock |
| Composer | Vendor directories | **/composer.lock |
| MCP configs | AI agent server configs | mcp.json, claude_desktop_config.json, .claude.json |
| Editor extensions | VS Code, Cursor, Windsurf | ~/.vscode/extensions, ~/.cursor/extensions |
| Browser extensions | Chromium and Firefox | Chrome/Default/Extensions, .mozilla/firefox |
All scans are read-only. Bumblebee never executes a package manager or runs install scripts, which sidesteps attacks that hide in preinstall/postinstall hooks.
Installing Bumblebee
- 1
Clone and Build (requires Go 1.25+)
bashgit clone https://github.com/pplx-oss/bumblebee.git cd bumblebee go build -o bumblebee ./cmd/bumblebee - 2
Verify the Binary
bash./bumblebee --versionYou should see the version string and build commit. If not, confirm your Go version with
go version(must be 1.25 or later). - 3
(Optional) Move to PATH
bashsudo mv ./bumblebee /usr/local/bin/
The Three Scan Profiles
| Profile | What it scans | Best for |
|---|---|---|
| baseline | Common global/user package roots, language toolchains, extensions, MCP configs | Daily cron, routine inventory |
| project | Targeted sweep of specific dev directories (~/code, ~/src) | Auditing work projects on demand |
| deep | Operator-supplied roots including full home directory | Active incident response |
Running Your First Scan
- 1
Run a Baseline Scan
bashbumblebee scan --profile baseline > inventory.ndjsonOutput is NDJSON (one JSON record per line). Diagnostics go to stderr, inventory goes to stdout. This makes piping clean.
- 2
Filter Output with jq
Pull only npm packages:
bashcat inventory.ndjson | jq -r 'select(.ecosystem == "npm") | .package'List all discovered MCP config file paths:
bashcat inventory.ndjson | jq -r 'select(.ecosystem == "mcp") | .path' - 3
Count Packages by Ecosystem
bashcat inventory.ndjson | jq -r '.ecosystem' | sort | uniq -c | sort -rnThis gives you a quick breakdown of how many packages each ecosystem contributes to your machine's footprint. A typical active dev machine shows 500+ npm packages, a handful of Go modules, and 10-30 editor extensions.
Using an Exposure Catalog for Incident Response
When a new supply chain compromise drops, the first question is: are we affected? Bumblebee's exposure catalog feature turns that into a 5-second answer instead of a manual grep across every developer machine.
Create a JSON file describing the compromised packages:
{
"schema_version": "1.0",
"entries": [
{
"id": "ADV-2026-0042",
"name": "colors-hijack",
"ecosystem": "npm",
"package": "colors",
"versions": [">=1.4.1 <1.4.3"],
"severity": "critical"
},
{
"id": "ADV-2026-0043",
"name": "faker-hijack",
"ecosystem": "npm",
"package": "faker",
"versions": [">=6.6.6"],
"severity": "high"
}
]
}Then run a targeted deep scan against it:
bumblebee scan --profile deep --ecosystem npm --exposure-catalog advisory.json --findings-onlyThe --findings-only flag means you only see records that match the catalog. No match, no output. This turns "is anyone running the compromised version?" into a trivially scriptable check you can run across your fleet.
Checking MCP Configs
MCP (Model Context Protocol) configs define which external servers your AI coding tools connect to. After the ContextCrush incident in March 2026, this became a real attack surface: a malicious MCP server can exfiltrate code context, inject prompts, or pivot into your development environment.
Bumblebee checks these config files: mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.json, Gemini CLI/Code Assist settings, and ~/.claude.json.
bumblebee scan --profile baseline --ecosystem mcpThis outputs every MCP server config found on the machine, with the server URL and transport type for each entry. You can then cross-reference against known compromised servers or your organization's allowlist.
For a quick browser-based check of a single config file without installing anything, use the MCPConfigCheck tool.
Scheduling Regular Scans
A one-off scan is useful during an incident. A daily scan turns Bumblebee into continuous inventory. Here's a crontab entry that runs at 2 AM every day:
0 2 * * * /usr/local/bin/bumblebee scan --profile baseline > /var/log/bumblebee/inventory-$(date +\%Y-\%m-\%d).ndjson 2>&1On macOS, launchd is more reliable than cron for scheduled tasks. Here's a plist that achieves the same thing:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.bumblebee.scan</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/bumblebee</string>
<string>scan</string>
<string>--profile</string>
<string>baseline</string>
</array>
<key>StandardOutPath</key>
<string>/var/log/bumblebee/inventory.ndjson</string>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
</dict>
</plist>For security teams managing a fleet, forward these NDJSON files to a central log aggregator (Splunk, Elastic, or even a simple S3 bucket). When an advisory drops, you query your existing inventory instead of scanning every machine in real time.
What Bumblebee Doesn't Do
- Windows support (macOS and Linux only currently)
- Runtime behavior detection (it reads files, doesn't execute them)
- SBOM replacement (covers dev endpoints, not production builds)
- EDR replacement (reads on-disk state, doesn't monitor running processes)
- Network analysis (doesn't check what packages do when executed)
- Remediation (reports findings, doesn't auto-fix or quarantine)
Bumblebee fills the specific gap between SBOMs and EDR. It tells you what's on disk right now, not what ran or what shipped. Pair it with a VS Code extension audit for a more complete picture of your local attack surface.
Frequently Asked Questions
What does Bumblebee scan for?
Bumblebee inventories installed packages across 8 ecosystems (npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer), MCP configs, and editor/browser extensions. It's read-only and never executes package managers or install scripts.
Is Bumblebee safe to run?
Yes. It's read-only by design and never executes install scripts or package managers. The binary makes no network calls during scanning. It's Apache 2.0 licensed and fully source-available, so you can audit the code before building.
What is the difference between Bumblebee and an SBOM?
SBOMs inventory your production build artifacts (what ships to users). Bumblebee inventories your developer machine (what's installed locally). They complement each other: an SBOM tells you what's in the container you deployed, while Bumblebee tells you what's sitting on every engineer's laptop right now.
How do I check my MCP configs for known compromises?
Run the following command to list all MCP server configs found on your machine:
bumblebee scan --profile baseline --ecosystem mcpFor a browser-based check without installing anything, use the MCPConfigCheck tool. It validates a single config file against known-bad server patterns.
Does Bumblebee work on Windows?
Not currently. Bumblebee supports macOS and Linux. Windows support is tracked in the GitHub issues but has no release date yet. If you need Windows coverage, you can run it inside WSL2 to scan packages visible from the Linux filesystem.
Related Articles
GitHub Actions Security: 7 Misconfigurations to Avoid
The 7 GitHub Actions misconfigurations behind real supply chain attacks: weak GITHUB_TOKEN scope, pull_request_target, unpinned actions, script injection.
WordPress CDN Supply Chain Attack 2026: What Happened and How to Check Your Site
The OptinMonster, TrustPulse, and PushEngage supply chain attack (June 2026) hit 1.2M sites. Here's exactly how it worked, how to check if you were compromised, and how to recover.
How to Audit Your VS Code Extensions for Security
The GitHub breach happened through a VS Code extension. Here's how to check what you have installed and reduce your exposure in 10 minutes.