The fight to maintain security has moved to the engineer’s messy desktop.
Last week, AI search provider Perplexity open-sourced an internal tool, Bumblebee, for checking developer machines, either Linux or macOS, for vulnerable software.
Continuous integration pipelines have baked security checks into them, with Software Bills of Materials (SBOMs) ensuring that the correct version of a package makes it to runtime. So malicious attackers are gravitating to the underbelly of enterprise security, the developer’s laptop.
Most developer machines are no doubt teeming with unpatched and outdated software, byproducts of various experiments and projects. There’s probably an outdated version of Node.js on most machines, or perhaps a never-used Warp terminal. Or maybe they downloaded a malware-infested package at some point, and it is just sitting on the hard drive waiting to be activated.
And certainly, many Perplexity engineers have plentiful recipes for agents lying around, which could be augmented with evil commands without the engineer’s knowledge.
The dev’s local environment also likely has valuable credentials that can be used to further infiltrate a secured environment.
Bumblebee Goes from Folder to Folder Picking out Vulnerabilities
Bumblebee is a read-only scanner that is installed on developer computers to search for vulnerable software. It looks for packages, extensions, and AI tool configurations that have been used in other security breaches.
“Bumblebee is useful to all security teams. Whenever a new vulnerability is reported, they need to know right away if any of their machines were exposed,” stated the Perplexity blog about the Bumblebee release.
It should be noted that running Bumblebee requires a fair amount of preparation work for the organization.
In Perplexity’s case, the company built a catalog of potential threats, where each attack was manually reviewed. Potential threats can be identified from internal research, as well as from public disclosures, or third-party security consultations.
Each potential threat gets a GitHub pull request containing source links and a structured description detailing the ecosystem, and the name and version of the compromised software. The PR is manually reviewed, and if found relevant, entered into a catalog.
With this catalog, Bumblebee then checks the organization’s developer and engineer computers for these potential attack points. It can do either routine scans, as a part of a routine fleet maintenance schedule. Or, it can also perform a targeted scan of individual repositories or workspaces. It can also do a “response sweep” for a recently unearthed vulnerability.
Specifically, it looks for compromises in package managers. Yarn, npm, pnpm, Bun, PyPI, Go modules, RubyGems and Composer are all supported. It also inspects editor and browser extensions and MCP agent configurations.
According to Perplexity, it was important to keep Bumblebee as “read only” so any scanning activities don’t inadvertently kick malware into action.
The company also stresses that Bumblebee is not an Endpoint Detection and Response (EDR) platform that continuously monitors endpoint devices for runtime intrusions.
“SBOMs help answer what shipped, and EDR helps answer what ran or touched the network, but supply-chain response often needs a different view: messy local state across lockfiles, package-manager metadata, extension manifests, and supported developer-tool configs,” Bumblebee’s GitHub page states.
Dev Desktops as an Emerging Threat Surface
With SBOMs and EDRs locking down everything, it’s not surprising malicious attackers are turning to the developer’s desktop as an access point for nefarious activities.
In 2022, continuous integration service provider CircleCI suffered a breach that stemmed from malware on an employee’s laptop. Malware planted on the device allowed attackers to purloin customer credentials.
The LastPass breach of that year also stemmed from a DevOps engineer’s home computer. A keylogger that got on the machine allowed attackers to snatch the engineer’s master password that would ultimately give them access to 14 LastPass code repositories.
As Perplexity realizes, work laptops are a serious blind spot in most organizational security-in-depth strategies. Bumblebee shows how to shore up these devices, and leave no honey for the malicious hacker.