When an advisory names a package, how do you know which developer machines have ...
W

When an advisory names a package, how do you know which developer machines have ...

When an advisory names a package, how do you know which developer machines have ...

4,681 stars
N/A forks
N/A contributors

README

Project documentation from GitHub

Bumblebee: Track Which Dev Machines Have a Known Vulnerable Package

When a security advisory drops naming a specific package version, the race is on. You need to figure out: which developer machines in your org are running that exact version? And you need the answer before the exploit gets weaponized.

That's the exact problem Bumblebee was built to solve. It's a simple, focused tool from Perplexity AI that answers that one uncomfortable question: "Who has this package installed right now?"

What It Does

Bumblebee is a lightweight agent that you run locally on developer machines. It scans the environment (like your local npm cache, pip packages, or other package managers) and reports back which package versions are installed. The core idea is dead simple:

  • Query by package name – you ask "who has [email protected]?"
  • Bumblebee responds – it tells you which machines have that version, cached or installed
  • No phoning home – it works locally or through a private registry you control

It doesn't try to be a full dependency scanner or a CI pipeline tool. It's laser-focused on the developer machine inventory problem – something most security teams don't have good answers for.

Why It's Cool

Three things make Bumblebee stand out from the usual "scan everything" approaches:

1. It's built for the "it's already too late" moment.
Most tools look at your source code or CI artifacts. But a developer might have installed a malicious package locally, run a script, and then removed it from node_modules. Bumblebee works at the filesystem level – it checks the actual installed cache, not just package-lock.json.

2. It's privacy-respecting by design.
You can run it fully offline. It doesn't need a central server unless you want to aggregate data. The default mode is "ask locally." That's refreshing in a world of "just send us all your metadata."

3. It's minimal.
It's a single Go binary. No dependencies, no Docker, no Kubernetes. go install github.com/perplexityai/bumblebee and you're done. That matters when you're deploying it to 100+ developer laptops.

How to Try It

Getting started takes about 30 seconds:

# Install it
go install github.com/perplexityai/bumblebee@latest # Scan your current machine for a package
bumblebee query [email protected]

That's it. The binary will crawl your local p

Did you like this issue?

Join our weekly newsletter

Love discovering amazing projects?

Help us continue bringing you the best open-source discoveries every week.

Back to Projects
Last updated: May 24, 2026