Perplexity has open-sourced a security tool called Bumblebee, designed to scan developers' computers for compromised packages, malicious browser extensions, and AI tool connector configurations. It features a design that avoids executing the programs under inspection, instead directly reading local metadata and configuration files to minimize the risk of triggering malicious code during analysis.
Do not run code to complete the check
Many security scanning tools require actually invoking package managers or related programs when inspecting packages. This approach poses a risk in supply chain attack scenarios, as some malicious scripts automatically execute during installation or invocation.
Perplexity states that Bumblebee uses a read-only scanning method to directly analyze the raw files that record installation information in the system, without interacting with executable processes or modifying device content. After the scan is complete, the tool outputs structured results listing the identified risk objects.
MCP configuration has been included in the scan.
A novel aspect of this tool is that it treats MCP configuration files as security entry points that require inspection. MCP refers to a type of local configuration that determines which external services AI assistants like Claude and Cursor can connect to.
If attackers inject malicious connectors into these configurations, the AI assistant could silently access email, databases, calendars, or code repositories, potentially leaking credentials or executing unauthorized commands. The report notes that most existing security tools currently do not cover this layer of risk.
In addition to MCP, Bumblebee also supports checking browser extensions in Chrome, Edge, Brave, Arc, and Firefox, as well as editor plugins in VS Code and its forked versions.
Used for internal development systems
Perplexity noted that on May 11, a hacker group called TeamPCP implanted malicious code into over 160 software packages, affecting developers worldwide. The compromised packages included those related to Mistral AI and UiPath, as well as a React tool with approximately 12 million weekly downloads.
The characteristic of this type of attack is that malicious code can execute immediately once the developer installs the relevant package. Perplexity noted that Bumblebee’s read-only design was originally intended to prevent this kind of “check-and-trigger” issue.
- The tool has been freely open-sourced on GitHub.
- Licensed under the Apache 2.0 license
- Built-in directory of recent supply chain attack samples
Currently, Perplexity is using Bumblebee internally to protect the development systems behind its search product, Comet browser, and Computer AI agent. The company states that external teams can similarly maintain their own threat catalogs and run this suite of scanning tools in their local environments.