Perplexity Open-Sources Bumblebee to Scan Developer Machines for Supply-Chain Threats

When a supply‑chain vulnerability surfaces, security teams face one urgent question: which developer machines are exposed right now? Existing tools miss the answer. Software Bill of Materials scanners cover build artifacts. Endpoint detection products watch running processes. Neither checks the local developer state — lockfiles, package manifests, extension configs, and AI tool settings scattered across a laptop’s filesystem.

Bumblebee fills this gap. It’s a read‑only inventory collector for macOS and Linux developer endpoints, written entirely in Go with zero non‑standard‑library dependencies. On each invocation, it performs a single scan and outputs structured findings as newline‑delimited JSON — no persistent daemon, no process monitoring, no network inspection.

Perplexity runs Bumblebee to protect the developer systems behind its search product, Comet browser, and Computer AI agent. When a new threat emerges — flagged by public disclosures, third‑party intel feeds, or internal research — Perplexity Computer drafts a catalog entry with the ecosystem, package name, and affected versions, then opens a GitHub pull request. A human developer reviews and merges it. Bumblebee then scans all endpoints against the updated catalog and routes findings to the security team.

This pipeline turns a threat signal into an endpoint scan without manual catalog maintenance, according to MarkTechPost. Teams adopting Bumblebee can replicate the same workflow with their own review process.

On May 11, a hacker group tracked by Google as UNC6780 (also known as TeamPCP) planted malicious code into 160+ software packages used by millions of developers. The campaign, which Yahoo Tech reports has been running coordinated software poisoning since at least March 2026, affected packages from Mistral AI, UiPath, and a React tool with 12 million weekly downloads.

“The malicious code fired automatically on install, before anyone noticed anything was wrong,” the Perplexity team said in its.² “A scanner that invokes the package manager to check for infections can trigger those same scripts. You go looking for the worm; the worm runs.”

Bumblebee sidesteps this by reading only metadata — lockfiles and manifests — never executing install scripts, lifecycle hooks, or package manager commands.

Most security tools check software packages and maybe browser extensions. Bumblebee adds a fourth surface that almost nothing else covers: MCP configuration files. These JSON configs tell AI assistants like Claude and Cursor which external services they can connect to — email, databases, calendars, code repositories. A malicious connector slipped into an MCP config could leak credentials or run unauthorized background commands.

Bumblebee parses mcp.json, .mcp.json, claude_desktop_config.json, mcp_config.json, mcp_settings.json, cline_mcp_settings.json, and Gemini CLI settings — without emitting environment values or key names from env blocks. Non‑JSON MCP configs like Codex’s config.toml and Continue’s YAML format are not yet supported in the current v0.1.1 release.

Open‑sourcing internal security tooling is unusual for an AI company in 2026, especially one valued in the tens of billions. Most labs treat their security infrastructure as proprietary competitive advantage. Perplexity’s decision to release Bumblebee under Apache 2.0 signals a bet that developer trust is a product moat — that builders are more likely to adopt Perplexity’s products (Search, Comet, Computer) if they see the company taking supply‑chain security seriously enough to share its tools.

The move also positions Perplexity in a growing conversation about AI agent security. As more developers wire AI assistants into their local environments via MCP, the attack surface expands. Bumblebee addresses that surface directly, years before most security vendors have even acknowledged it exists.

Requirements: Go 1.25 or later. Installation is a single command:

go install github.com/perplexityai/bumblebee@latest
bumblebee selftest

The repository ships with a threat_intel/ directory containing maintained catalogs built from public campaign reporting. Operators control scan cadence through their own scheduling — cron, launchd, systemd, or MDM fleet tooling. Each finding includes a confidence score (high/medium/low), traceable evidence back to the catalog entry, and severity classification.