In this video, I take a hands-on look at Bumblebee, Perplexity’s new open-source scanner for developer machines, and show how it helps answer one of the hardest supply chain security questions: “Do any dev laptops have a risky package, extension, or AI config sitting on disk right now?” I’ll run Bumblebee live to show how it scans local metadata without running package managers, executing project code, or triggering install scripts. It’s a fast, read-only developer endpoint inventory tool that outputs clean NDJSON so teams can pipe results into scripts, MDM, SIEM workflows, or incident response processes. 🔗 Relevant Links Perplexity Bumblebee - https://www.perplexity.ai/hub/blog/perplexity-is-open-sourcing-bumblebee Bumblebee Repo - https://github.com/perplexityai/bumblebee ❤️ More about us Radically better observability stack: https://betterstack.com/ Written tutorials: https://betterstack.com/community/ Example projects: https://github.com/BetterStackHQ 📱 Socials Twitter: https://twitter.com/betterstackhq Instagram: https://www.instagram.com/betterstackhq/ TikTok: https://www.tiktok.com/@betterstack LinkedIn: https://www.linkedin.com/company/betterstack 📌 Chapters: 0:00 The Dev Machine Supply Chain Problem 0:35 Why Developer Laptops Are Now an Attack Surface 1:25 Bumblebee Install and Self-Test 1:55 Running a Baseline Scan with Bumblebee 2:15 Reading Bumblebee NDJSON Output 3:00 Why Bumblebee Is Not Another SCA Tool 3:54 Baseline vs Project vs Deep Scan Profiles 4:55 What Bumblebee Scans: npm, PyPI, VS Code, Browsers, MCP 5:30 Bumblebee Pros: Fast, Safe, Open Source 6:05 Why Read-Only Scanning Matters During Incidents 7:20 Should Developers Use Bumblebee?
Comments 20
Sign in to join the conversation
Sign in
thank you for the best video
Bruh fix your ugly powerline icons
Why do I hear AI Slop writing??
Do you have any dictionary for all the acronyms?
could you make your script less ai for god sake
Downloading anything from Perplexity is wild 😂
Man you really needed that microphone. So much more professional sounding now.
Supply Chain attack on bumblebee in 5 ... 4 .. 3..
" THIS will keep you safe. Just download and run it!" 😂
live demo free handed
Great deep dive!
Hmmm, Nix, anyone?
Folks, if in 2026 you're still doing development locally, directly on your machine... You're doing it wrong! Please use dev containers! Even for the small projects! Any project that has dependencies needed to be installed from a package manager, needs a dev container. The risk of compromising your whole machine is just too great!
1. requiring you to install it with go instead of publishing to homebrew is a PITA 2. there's no catalog bundle shipped with the binary, so you have to manually fetch the json files from the repo before you can match anything 3. no self-update for catalogs either...you have to remember to git pull or re-curl every time a new advisory drops, otherwise you're scanning against stale intel 4. catalog coverage is limited to the handful of named campaigns their team happens to write up. For comparison npm audit / pip-audit / bundle audit already consume the github advisory db and catch real cves across the board As it stands it's a barebones tool with limited value for a single laptop. The one thing it actually does that the audit tools don't is cover editor/browser extensions and mcp configs... for plain package cves the audit tools already win
I stopped watching after the ai slop script "No x, no x, just x" terrible, please stop that.
Not actually useful everything from perplexity is garbage
That's pretty useful. I'm tackling the supply chain issues different ways but this helps solve an issue I had a few weeks back where I was asking myself "have I been pwned and I just don't know it?". When you have multiple projects on the go and plugins for IDEs auto-updating it is hard to know what you have installed locally. (Also don't take this the wrong way because the video is ultimately fine... But I can hear that AI wrote most of this script. Claude loves snappy short sentences and going on and on about "boring tech".)
Cool tool, nice presentation. It feels like you mention many things repeatedly, which reduces the quality of the video overall IMO.
Install some powerline fonts so the terminal doesn't look as ugly :D
AI never sleeps 😴