
Bumblebee is a read-only supply-chain scanner from Perplexity that checks your project dependencies, MCP servers, and editor extensions for suspicious packages in seconds. It is written in Go with zero non-standard-library dependencies — the scanner itself cannot be supply-chain-attacked through its own dependency tree — and it never modifies anything it inspects. You point it at a repo or your editor setup and get a fast, plain-English report of anything that looks off.
Editorial check
How this page is checked
Source trail
github.com
External links are separated from Surfaced commentary.
Reader safety
Context before clicks
Product links and external services are not presented as guarantees.
Monetization
No affiliate flag
Ads and commerce links are kept distinct from editorial text.
Surfaced take
Why It’s Useful
Every developer is suddenly installing MCP servers and AI editor extensions by the dozen, and almost nobody has a reliable way to audit what those packages actually do — Bumblebee fills exactly that gap, which is why it has been climbing GitHub and getting picked up in developer-tool roundups since its May 2026 release. It is still early (a few thousand stars and moving fast), but the design choices are the appealing part: read-only by principle, stdlib-only by discipline, and quick enough to run before every new install rather than as a quarterly chore. If you have ever pasted an MCP config from a stranger on the internet, this is the thirty-second sanity check you were missing.
Enjoyed this? Get five picks like this every morning.
Free daily newsletter — zero spam, unsubscribe anytime.





