Your Agent's MCP Config Is a Supply-Chain Blind Spot. Perplexity Just Shipped the Scanner
Bumblebee reads the messy local state every other tool ignores — including the MCP configs that feed your AI agents. It crossed 4,400 GitHub stars in three weeks because almost nothing else looks there.
NeuroX AI · June 13, 2026
On May 22, Perplexity open-sourced Bumblebee, a read-only supply-chain scanner that answers one question: when an advisory names a poisoned package, which of your machines has it installed right now? It crossed 4,400 GitHub stars in three weeks — and the reason is the surface almost nothing else checks.
Most scanners read your lockfiles. Bumblebee covers 8 package ecosystems plus IDE and browser extensions — and then adds the surface that matters for agents: MCP host config files (mcp.json, claude_desktop_config.json, and the rest). That's the gap. A tampered MCP config can deliver attacker-controlled instructions straight into an agent's working memory, then exfiltrate credentials or invoke tools in the background with no visible trace.
This isn't hypothetical. The Shai-Hulud npm campaigns this year hit dependencies used by TanStack, SAP, and Zapier. The whole point of Bumblebee is post-incident triage: an advisory drops, and you need to know which endpoints match today, not next quarter.
The tool itself sets the bar — a single static Go binary, zero non-stdlib dependencies, never executing an install script. That's the same discipline production agents need: scoped, inspectable, no implicit trust. If your agents read from MCP servers and you can't enumerate which configs they touch, you don't have a security posture — you have a guess.