Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• Perplexity Bumblebee is an open-source developer security program.
• Bumblebee doesn't require AI or a subscription.
• The program aims to spot problems on programmers' laptops. 

If you're a programmer, you're painfully aware that there's been a flood of successful malicious attacks on your software supply chain. These attacks include the Axios npm package compromise, the PyPI LiteLLM AI attack, and the CanisterSprawl npm assault. 

What's a programmer to do when they can't even trust the very building blocks of their program? Well, there are several approaches, and the latest comes from Perplexity. 

According to the AI company, Bumblebee is a "read‑only scanner we use to check developer machines for risky packages, extensions, and AI tool configs during supply‑chain incidents." The company said in its announcement that the program is one of "the internal tools we use to protect the developer systems behind Perplexity, Comet, and Computer."

Also: How I got my business emails through spam filters with SPF, DKIM, and DMARC

The security question Bumblebee is built to answer

The tool is built to answer the first question that pops up in your mind after a new supply‑chain advisory: Do any of our programmers have this thing installed? 

Bumblebee runs on MacOS and Linux developer machines and is available now as an open-source Go project. You can plug the tool's results into whatever security system you're already using.

Instead of targeting code or runtime behavior, Bumblebee focuses on four specific surfaces. Perplexity claimed existing open‑source tools tend to cover one or two of these surfaces, while Bumblebee can handle all four at once:

• Language package managers: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer
• AI agent configs: Model Context Protocol (MCP)
• Editor extensions: VS Code‑family (i.e., VS Code, Cursor, Windsurf, VSCodium)
• Browser extensions: Chromium‑family (Chrome, Comet, Edge, Brave, Arc) and Firefox

Also: The patching treadmill: Why traditional application security is no longer enough

In other words, this tool is for people running JavaScript/TypeScript, Python, Go, Ruby, and PHP; programmers experimenting with AI MCP configurations; and developers living inside VS Code‑style editors and Chromium‑style browsers.

How Bumblebee integrates into your internal workflow  

Bumblebee is part of a larger internal workflow, which Perplexity outlines as follows:

1. A threat signal is identified through public disclosures, third‑party intel feeds, or internal research.
2. Perplexity Computer drafts a catalog update. It enters the signal into a structured entry (ecosystem, name, version), and then opens a GitHub pull request (PR) with source links.
3. The detection is sent to human review, after which the PR is merged.
4. Bumblebee runs on endpoints with the updated catalog.
5. Findings are shared with the security team.

You don't have to use Perplexity's JSON catalog; you can now run Bumblebee with your own catalogs and review process. Each detection is "traceable, showing which catalog entry triggered the filing, when it was added, and any evidence," Perplexity noted.

You can use the open‑source Bumblebee catalog on GitHub. You'll find it in the threat_intel/ directory, which "holds maintained exposure catalogs built from public threat-intelligence reporting on recent supply-chain campaigns." Each file in that directory is a catalog in the standard JSON format (schema_version + entries). The README there explains the current catalog list and review guidance. To use the catalogs, you clone the repo and pass that directory to the scanner. For more on that step, see Bumblebee's Threat Intelligence Exposure Catalogs.

Also: Best VPN services: Expert tested and recommended

Alternatively, you can build your own Bumblebee catalog as a simple JSON file listing exact matches for the risky components you care about, such as ecosystem, package name, and affected versions. Bumblebee then compares local machine inventory against that catalog and flags only exact (ecosystem, name, version) matches, so the catalog is intentionally narrow and deterministic.

The scanner supports three profiles that map pretty cleanly to how developers and security teams think about scope:

• Baseline profile: Routine scan of standard laptop locations. Teams schedule the scan through their own systems.
• Project profile: Targeted scan of specific repos or workspaces.
• Deep profile: Response sweep for active incidents.

Perplexity positions this tool squarely in the "developer surface" tier: Software Bill of Materials (SBOM) and vulnerability scanners handle repositories and build artifacts. Endpoint inventory products cover installed applications. Bumblebee runs on the developer laptop. The key output is: "It tells you whether that machine has a specific package, version, extension, or MCP configuration installed when a supply‑chain advisory lands."

Read-only avoids risky scans

The company leans hard into "read‑only" as a security property, not just an implementation detail. In their words, "Bumblebee is read‑only. It reads metadata files directly and never lets potentially compromised tooling run, which prevents the scan from becoming a risk." They added: "Making Bumblebee read‑only helps avoid issues with install‑time code execution."

Also: 5 ways to fortify your network against the new speed of AI attacks

The post called out npm‑style postinstall attacks directly: "npm packages can carry postinstall scripts that run automatically the moment npm install touches them. That's how the most recent supply‑chain worms have spread." The warning for developer‑side scanners is blunt: "A scanner that invokes npm to check for exposure has already triggered the attack it was looking for."

Bumblebee's safety guarantees follow from what it refuses to do, said Perplexity:

• It never runs install scripts or lifecycle hooks.
• It never runs your package manager.
• Bumblebee never reads application source files; it reads metadata such as lockfiles, manifests, and installed package metadata.
• Bumblebee is not an Endpoint Detection and Response (EDR) program.

Framed this way, Bumblebee is not trying to replace endpoint detection tools or build‑time scanners. It's more of a targeted inventory probe focused on the specific metadata that spots when a particular programmer's PC is using vulnerable code.

Also: Stopping bugs before they ship: The shift to preventative security

Bumblebee is also not like Chainguard, where the focus is entirely on securing your software supply chain by hardening containers and pipelines rather than developer laptops. The guidance centers on concepts such as minimal, hardened base images, automated rebuilds when vulnerabilities are disclosed, and a policy that blocks non‑compliant artifacts from being shipped.

How Bumblebee compares to Chainguard

Bumblebee lives a step earlier in the lifecycle and a step closer to where developers actually work. Perplexity wrote that "security starts at the local developer surface," and that "the integrity of our products has to begin further up the supply‑chain than production." Where Chainguard's controls surround containers and build outputs, Perplexity said Bumblebee "runs on the developer laptop" and is used "to check developer machines for risky packages, extensions, and AI tool configs during supply‑chain incidents."

For developers, that approach translates into different touchpoints. Chainguard shows up as base images, policies, and SBOM requirements in your pipelines. Bumblebee is a program your security team runs on your laptop to see which packages, extensions, and MCP configs you currently have installed, and to note which are vulnerable. 

Also: My new favorite Windows app made my PC safer and more reliable - and it's free

Both approaches have their advantages. Personally, I prefer Chainguard's approach, which has been expanded to AI tools and code, but I can see how Bumblebee could be useful as well. The tool also has the advantage of being both free and open-source under the Apache 2.0 license.