Perplexity Open-Sources Bumblebee: A Read-Only Scanner Built to Catch Supply-Chain Attacks Before They Spread

What Bumblebee Actually Does

Perplexity rolled out Bumblebee on Thursday, and it's worth paying attention to. The tool is an open-source scanner that checks developer laptops for compromised packages, sketchy browser extensions, and AI tool configurations that might be tied to an ongoing supply-chain security incident. It's written in Go, it lives on GitHub, and it started life inside Perplexity itself — built to protect the developer systems running behind the company's own products before they decided to share it with everyone.

Think of it as a flashlight for that specific corner of your machine where modern attacks tend to hide. Not a full antivirus. Not a vulnerability database. Something narrower and, honestly, more useful when an incident is actively unfolding.

A Read-Only Approach to Endpoint Security

Here's the part that makes Bumblebee different from the usual crop of scanners. Most vulnerability tools work by invoking package managers — they call npm, they call pip, they poke around the way a developer would. The problem? That very poking can set off the trap.

Bumblebee runs in read-only mode. It reads metadata files directly. Lockfiles, manifests, that kind of thing. It never executes code. It never calls npm or pip. It just looks.

Perplexity put it pretty bluntly in the blog post announcing the release: "npm packages can carry postinstall scripts that run automatically the moment npm install touches them. That's how most recent supply-chain worms have spread." And then the kicker: "A scanner that invokes npm to check for exposure has already triggered the attack it was looking for."

Read that twice. The scanner becomes the delivery mechanism. That's the whole problem Bumblebee is built to sidestep.

The Four Surfaces It Covers

Perplexity says existing open-source tools tend to handle only parts of the puzzle. Bumblebee tries to cover four areas in one place:

• Language package managers — npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer
• AI agent configurations, including MCP
• Editor extensions for the VS Code family — VS Code, Cursor, Windsurf, VSCodium
• Browser extensions across Chromium-family browsers and Firefox

That AI agent piece is the one that feels especially of-the-moment. As more developers wire their machines into MCP servers and agentic tooling, those configurations become a real attack surface, not a theoretical one.

Designed for the Way Incident Response Actually Works

Bumblebee comes with three scan profiles, and they map pretty cleanly to how teams actually operate. There's a baseline scan for routine scheduled checks — the kind of background hygiene you set and forget. There's a project-level scan for when you want to focus on a specific repository. And there's a deep sweep mode for when something has gone wrong and you need to know what's on your machines right now.

Every detection links back to the catalog entry that triggered it. You get timestamps. You get evidence. So instead of staring at a vague alert, you can actually trace what was found, why, and when.

How Perplexity Computer Fits In

The tool integrates with Perplexity Computer, the company's AI agent. When new threats surface, the agent drafts updates to the catalog that Bumblebee runs against. Those drafts don't go live on their own — they pass through human review first, and then the refreshed catalog gets pushed out to endpoints.

It's a sensible workflow. AI handles the speed of triage, humans handle the judgment calls, and the scanner itself stays read-only and predictable.

Why This Matters Right Now

Supply-chain attacks aren't a niche concern anymore. A ReversingLabs report from January flagged a 73% increase in malicious open-source packages. That's a meaningful jump, and it's the kind of trend that doesn't reverse on its own.

Bumblebee carves out a specific spot in the security stack. It's not an SBOM scanner — those handle repositories and build artifacts. It's not an endpoint inventory product — those cover installed applications more broadly. It's focused on the developer laptop itself as an attack surface. The machine where the code gets written, where the editor extensions live, where the browser sessions happen, where the AI agents run.

Where to Get It

The project is available for macOS and Linux under an open-source license. Security teams can run it against their own catalogs and feed the findings into whatever response workflow they already use. No vendor lock-in. No black box. Just a scanner doing one specific thing and doing it without setting off the very threats it's looking for.