Companies now spend more on cybersecurity than on most other technology line items. The standard enterprise stack includes network firewalls, endpoint detection tools, software composition analysis pipelines, and vulnerability scanners tuned to catch known CVEs before they reach production. Security teams at major firms run continuous monitoring. Threat intelligence feeds update automatically. The apparatus is extensive, expensive, and serious. It doesn't protect the developers who build everything that apparatus is designed to defend.
Section One
The Version Everyone Believes
Software composition analysis tools scan repositories. They check every declared dependency against databases of known vulnerabilities, flag anything with a CVE, and block affected builds before anything reaches production. Endpoint detection and response tools watch every process running on company machines and alert on suspicious behavior. Software bills of materials document exactly what's inside every deployed artifact. This is, by any reasonable standard, a serious security posture. It's also the one that nearly every large technology company currently operates.
The logic is sound. If you know what code you're shipping, and you know which versions of which libraries are vulnerable, you can catch most problems before they cause damage. The security industry spent two decades building this framework. It works well for the environments it was designed to protect.
The assumption embedded in all of it is that the perimeter includes the developers.
It doesn't. Software composition analysis tools scan repositories, not the package directories installed on individual developers' machines. A SBOM catalogs what went into a production artifact, not what a developer installed locally last week when testing a new library. EDR tools watch what processes run and what network connections are made. They don't read lockfiles, parse extension manifests, or check MCP configuration files sitting in a home directory.
The enterprise security stack was designed, quite sensibly, to protect production environments and network infrastructure. Developer machines were inside the trusted zone. Attackers agreed with this framing for a long time, because reaching production through a developer machine was indirect and difficult. Then the open source ecosystem made it straightforward.
Section Two
What the Mini Shai-Hulud Campaign Found
Supply chain attacks exploit the moment between a developer's install command and production. The technique is precise. An attacker publishes a malicious package to a public registry. Often it's a typosquatted name, close to a legitimate package but one character off. Sometimes it's more sophisticated: the attacker compromises a legitimate maintainer's account and injects malicious code into a package that thousands of developers already trust.
When the developer runs npm install, the package manager fetches the package, extracts it, and automatically executes its postinstall script. That script runs with the permissions of the current user, before any analysis has occurred, before any EDR tool has had time to classify the behavior, and before any security engineer has been alerted. The attack lands at the moment of installation.
How postinstall hooks work
Every npm package can declare a postinstall script in its manifest. When a developer runs npm install, the package manager runs these scripts automatically for every package in the dependency tree. There is no confirmation step. There is no sandbox. The scripts run with full user permissions on the developer's machine. Any scanner that checks for malicious packages by invoking the package manager has already triggered the attack it was looking for.
The Mini Shai-Hulud campaign deployed this technique across five ecosystems simultaneously: npm, PyPI, RubyGems, Go modules, and Composer. Packages were placed in each registry targeting the same organizations from multiple angles. Companies including TanStack, SAP, and Zapier were affected. The multi-ecosystem approach was deliberate. A defender who audits one ecosystem still has four others to worry about. A developer who avoids suspicious npm packages might still install a compromised PyPI library.
Figure 1 — The supply chain attack path from attacker to production
Existing security tools are poorly positioned to catch this sequence. An EDR tool watches process execution, but by the time the postinstall script runs, the attack is already underway. A software composition analysis pipeline scans declared dependencies in the project manifest, not what's actually installed in global package directories. A SBOM documents production artifacts after the build completes. None of these tools answer the question a security team needs answered immediately: which developer machines in this organization have this specific compromised package installed right now?
When the Mini Shai-Hulud series became public, that question had no fast answer for most organizations. The investigation meant manually querying every developer machine across multiple package managers, a process that takes hours at best and days at realistic scale.
Section Three
How Security Forgot the People Who Build It
The gap isn't a failure of implementation. It's a failure of scope that made sense at the time the frameworks were built. Enterprise security evolved to protect servers, internal databases, and network infrastructure. Developers were inside the trusted zone, connected to corporate networks, their machines managed by IT departments that approved the software they ran. Attackers went after servers because that's where the data lived. Developer machines were indirect targets, and indirect targets are harder to exploit efficiently.
The open source ecosystem shifted that calculus. A developer's machine now contains a living, constantly updating ecosystem of third-party code from thousands of sources. It's not just the production dependencies. It's the testing libraries, the scaffolding tools, the utility packages installed globally and then forgotten. It's the VS Code extensions loaded automatically on startup, each one with access to the file system and the network. It's the browser extensions that sit in the development browser, reading every page a developer opens. And increasingly, it's the MCP configuration files that specify which tools AI agents can invoke and how.
| Attack Surface on Developer Machine | Traditional Security Covers This | Bumblebee Covers This |
|---|---|---|
| Production server dependencies | ✓ Yes | — |
| Repository declared dependencies (CI/CD) | ✓ Yes | — |
| Deployed artifact SBOM | ✓ Yes | — |
| Locally installed packages (npm, pip, gem, go) | ✗ Blind spot | ✓ Yes |
| Editor extensions (VS Code, Cursor, Windsurf) | ✗ Blind spot | ✓ Yes |
| Browser extensions (Chrome, Edge, Brave, Arc) | ✗ Blind spot | ✓ Yes |
| MCP AI agent configuration files | ✗ Blind spot | ✓ Yes |
| User-directory package installs | ✗ Blind spot | ✓ Yes |
Figure 2 — Coverage gap between traditional security tools and Bumblebee
MCP configurations deserve particular attention because they represent an attack surface that barely existed before 2024. These files specify which tools an AI agent can invoke, which local commands it can run, and which remote services it can reach. A compromised MCP configuration can redirect AI agent behavior in ways that are subtle, persistent, and nearly invisible to conventional monitoring. Bumblebee reads MCP configuration files as part of its standard baseline scan. At the time of its release, it was the only security scanner that did.
Why did this gap persist? Because the people making decisions about security tools weren't the people whose machines were being targeted. Production security and developer security have different owners inside most organizations. Security teams own the former. Developers own the latter, and developers aren't security engineers. They install libraries quickly, update tools to keep projects running, and add extensions when colleagues recommend them. This is not carelessness. It's what working on software actually looks like. The security framework never caught up with the reality of the developer's workflow.
Section Four
What Bumblebee Gets Right
Perplexity released Bumblebee on May 22, 2026. It's written in Go, carries zero external dependencies, and runs on macOS and Linux. The fundamental design decision is absolute: Bumblebee never executes code. It reads lockfiles, package metadata, extension manifests, and configuration files. It never invokes npm, pip, or any package manager. It never triggers postinstall scripts. The constraint matters because a scanner that invokes install tools to check whether packages are safe has already triggered the attack it was scanning for. Bumblebee avoids this entirely by reading metadata only.
The tool supports three scan profiles calibrated for different situations. A baseline scan covers the most common exposure surfaces: global and user package roots, language toolchains, editor extensions, browser extensions, and MCP configurations. A project scan targets specific development directories where a team's active code lives. A deep scan sweeps broader roots, intended for active incident response when a known threat is circulating and speed of coverage matters more than scope management.
Output is structured NDJSON, one record per finding. Each record includes hostname, operating system, ecosystem, package name, version, source file, and a confidence level. Confidence is classified as high when the identification comes from canonical metadata, medium when version information is partial, and low when only a configuration reference is found. Security teams supply exposure catalogs: simple JSON files specifying which package versions are affected by which threats. When Bumblebee finds a match, it emits a finding record with severity, catalog ID, and the specific evidence chain. Every finding is traceable to the catalog entry that triggered it.
Perplexity already uses Bumblebee internally to protect the machines building its search product, its Comet browser, and its Computer agent. Their internal workflow has five steps: a threat signal arrives from public disclosures or intelligence feeds; an AI system drafts an exposure catalog entry and opens a pull request; a human reviews and merges it; Bumblebee runs across developer endpoints with the updated catalog; findings go to the security team. The open-source release makes this workflow available to any organization willing to run it.
The open-sourcing is the more significant act. Maintaining accurate threat intelligence across ten package ecosystems simultaneously is not something any single company can do efficiently alone. The npm registry sees hundreds of thousands of packages. PyPI sees tens of thousands more. New supply chain campaigns target multiple ecosystems at once specifically because defenders have historically focused on one at a time. By open-sourcing both the tool and the threat catalog structure, Perplexity is making a bet that community-maintained intelligence across ecosystems is more resilient than any closed internal feed.
The conventional picture of enterprise security is accurate as far as it goes. Firewall it, scan it, monitor it, alert on it. That framework, applied to production systems, has made those systems genuinely harder to breach. The problem is that "far enough" now needs to include the developer who writes the code those systems run. The attack surface on a developer machine is categorically different from a server, and it's been that way for years. Bumblebee isn't the last word on developer endpoint security. It's the industry's first serious answer to a question that has been going unasked for too long.
Buy me a coffee