Bumblebee

A tiernew this week

A read-only, open-source CLI scanner that tells your security team exactly which developer laptops are sitting on a ticking supply-chain bomb — without triggering it.

Open Bumblebee →Compare with alternatives

Kai's verdict

Bumblebee fills a real and oddly underserved gap — existing SBOMs cover build artifacts, EDRs cover runtime, but nobody was cleanly answering 'which dev laptops have this evil package *right now*' without risk of making things worse. The read-only constraint is a genuine design win, not a limitation. (Verdict pending Phi's full review.)

Strengths

Truly read-only: never invokes npm, pip, or any package manager, so the scan can't itself trigger a malicious postinstall hook
Covers four surfaces most tools split across products: npm/PyPI/Go/RubyGems/Composer, editor extensions, browser extensions, and MCP configs
Single static Go binary with zero non-stdlib dependencies — trivially deployable via MDM or fleet tooling
Ships with a maintained threat_intel/ catalog of real supply-chain campaigns, updated via PR workflow
Three scan profiles (baseline, project, deep) handle both routine fleet audits and active incident response

Weaknesses

macOS and Linux only — no Windows support at v0.1.1, a real gap for mixed-OS engineering orgs
One-shot scanner with no built-in scheduling, alerting, or dashboard; you own the orchestration entirely
Very early release (v0.1.1); some MCP configs (Codex, Continue YAML) not yet parsed

Best for

Security engineers and DevSecOps teams at software companies who need fast, safe endpoint-level exposure checks the moment a new supply-chain advisory drops.

Pricing

Free (open source, Apache 2.0)

Fully open-source; no tiers, no SaaS. Self-hosted and self-scheduled.

Alternatives worth knowing

Codex Security

OpenAI's agentic AppSec researcher that builds a codebase-specific threat model, validates vulnerabilities in sandboxed environments, and proposes patches — all without drowning you in false positives.