Bumblebee: Track Which Dev Machines Have a Known Vulnerable Package
When a security advisory drops naming a specific package version, the race is on. You need to figure out: which developer machines in your org are running that exact version? And you need the answer before the exploit gets weaponized.
That's the exact problem Bumblebee was built to solve. It's a simple, focused tool from Perplexity AI that answers that one uncomfortable question: "Who has this package installed right now?"
What It Does
Bumblebee is a lightweight agent that you run locally on developer machines. It scans the environment (like your local npm cache, pip packages, or other package managers) and reports back which package versions are installed. The core idea is dead simple:
- Query by package name – you ask "who has
[email protected]?" - Bumblebee responds – it tells you which machines have that version, cached or installed
- No phoning home – it works locally or through a private registry you control
It doesn't try to be a full dependency scanner or a CI pipeline tool. It's laser-focused on the developer machine inventory problem – something most security teams don't have good answers for.
Why It's Cool
Three things make Bumblebee stand out from the usual "scan everything" approaches:
1. It's built for the "it's already too late" moment.
Most tools look at your source code or CI artifacts. But a developer might have installed a malicious package locally, run a script, and then removed it from node_modules. Bumblebee works at the filesystem level – it checks the actual installed cache, not just package-lock.json.
2. It's privacy-respecting by design.
You can run it fully offline. It doesn't need a central server unless you want to aggregate data. The default mode is "ask locally." That's refreshing in a world of "just send us all your metadata."
3. It's minimal.
It's a single Go binary. No dependencies, no Docker, no Kubernetes. go install github.com/perplexityai/bumblebee and you're done. That matters when you're deploying it to 100+ developer laptops.
How to Try It
Getting started takes about 30 seconds:
# Install it
go install github.com/perplexityai/bumblebee@latest # Scan your current machine for a package
bumblebee query [email protected]
That's it. The binary will crawl your local p