Bumblebee: Track Which Dev Machines Have a Known Vulnerable Package

When a security advisory drops naming a specific package version, the race is on. You need to figure out: which developer machines in your org are running that exact version? And you need the answer before the exploit gets weaponized.

That's the exact problem Bumblebee was built to solve. It's a simple, focused tool from Perplexity AI that answers that one uncomfortable question: "Who has this package installed right now?"

What It Does

Bumblebee is a lightweight agent that you run locally on developer machines. It scans the environment (like your local npm cache, pip packages, or other package managers) and reports back which package versions are installed. The core idea is dead simple:

• Query by package name – you ask "who has [email protected]?"
• Bumblebee responds – it tells you which machines have that version, cached or installed
• No phoning home – it works locally or through a private registry you control

It doesn't try to be a full dependency scanner or a CI pipeline tool. It's laser-focused on the developer machine inventory problem – something most security teams don't have good answers for.

Why It's Cool

Three things make Bumblebee stand out from the usual "scan everything" approaches:

1. It's built for the "it's already too late" moment.
Most tools look at your source code or CI artifacts. But a developer might have installed a malicious package locally, run a script, and then removed it from node_modules. Bumblebee works at the filesystem level – it checks the actual installed cache, not just package-lock.json.

2. It's privacy-respecting by design.
You can run it fully offline. It doesn't need a central server unless you want to aggregate data. The default mode is "ask locally." That's refreshing in a world of "just send us all your metadata."

3. It's minimal.
It's a single Go binary. No dependencies, no Docker, no Kubernetes. go install github.com/perplexityai/bumblebee and you're done. That matters when you're deploying it to 100+ developer laptops.

How to Try It

Getting started takes about 30 seconds:

# Install it
go install github.com/perplexityai/bumblebee@latest

# Scan your current machine for a package
bumblebee query [email protected]

That's it. The binary will crawl your local package cache (npm, pip, go modules, and a few others) and tell you if that exact version exists anywhere.

If you want something more orchestrated (like a team-wide report), the README shows how to run it as a cron job or integrate with a simple HTTP endpoint. But for the "alert just popped up" use case, the single-machine query is plenty.

Final Thoughts

Bumblebee scratches an itch that's surprisingly hard to scratch with existing tools. Most security software assumes you have perfect visibility into every developer's workstation – or it settles for only checking what's in source control. Bumblebee bridges that gap with a minimal, non-invasive approach.

If your team has ever been caught in the "we need to check everyone's laptop for CVE-2024-XXXX" scramble, this tool is worth a look. It won't solve all your supply chain security problems, but it solves the one that's most urgent when the advisory hits your inbox.

Found via @githubprojects