al-ice.ai

Perplexity Bumblebee — Open-Source Scanner for Dev Endpoints and MCP Configs

Security by al-ice.ai Editorial

AI relevance: Bumblebee is the first open-source scanner that explicitly inventories Model Context Protocol (MCP) configurations on developer machines — the same protocol that AI agents like Claude, Cursor, and Windsurf use to hook into external tools and APIs.

What Happened

Perplexity released Bumblebee (v0.1.1, May 22) — a read-only, zero-dependency Go scanner that runs on macOS and Linux dev endpoints. The tool surpassed 1,450 GitHub stars in under a week. It was built in response to the Shai-Hulud and Mini Shai-Hulud npm worms that targeted packages from TanStack, SAP, and Zapier.

Key Findings

  • Covers eight package ecosystems: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer.
  • Scans MCP configuration files, VS Code/Cursor/Windsurf/VSCodium extensions, and Chromium/Firefox extensions.
  • Design principle: "never execute anything" — reads lockfiles directly without invoking npm, pip, or bun, avoiding postinstall script execution (the primary attack vector for npm worms).
  • Outputs NDJSON, compatible with SIEM platforms like Splunk or Elastic SIEM.
  • Can be integrated with Perplexity Computer to trigger deeper scans when new supply-chain advisories emerge.
  • Pure Go binary, zero non-stdlib dependencies — single static file, distributable via MDM without runtime concerns.

Why It Matters

The npm supply-chain worm wave of early 2026 showed that existing SBOMs and EDRs don't cover the gap between "what's installed on a developer's laptop" and "what's actually compromised." Bumblebee fills that gap by providing read-only disk-level inventory, including MCP configs — which matter because MCP is the protocol AI agents use to access external tools, databases, and APIs. A compromised MCP config on a developer's machine means a compromised AI agent with access to whatever that MCP server connects to.

What To Do

  • Run Bumblebee against your engineering fleet to inventory installed packages and MCP configurations.
  • Compare scan output against recent supply-chain advisories (Shai-Hulud, TeamPCP, Megalodon) to identify exposed endpoints.
  • Integrate Bumblebee NDJSON output into your SIEM for automated alerting when newly disclosed vulnerable packages are detected on developer machines.
  • Audit MCP server configurations on developer endpoints for unverified or suspicious tool registrations.

Sources