Perplexity has open-sourced Bumblebee, a read-only endpoint scanner designed to help security teams identify exposure to software supply-chain vulnerabilities on developer laptops without executing any potentially compromised code.
Perplexity developed Bumblebee to protect the developer systems behind its products, including Perplexity, Comet, and Computer, as software supply-chain attacks increasingly target packages, tools, and local environments rather than only production systems. The company is now making the tool available as an open source Go project for macOS and Linux, allowing any engineering organization to integrate it into their own security workflows and catalogs.
Internally, Perplexity uses Bumblebee as part of a broader process that starts when a threat signal is identified through public disclosures, third-party intelligence feeds, or internal research. Perplexity Computer then drafts a structured catalog entry describing the affected ecosystem, package name, and version, and opens a GitHub pull request with source links, which goes through human review before being merged. Once the catalog is updated, Bumblebee runs on developer endpoints, and its findings are routed back to the security team.
Bumblebee supports three scan profiles that determine how broadly and where it searches on a machine. A baseline profile performs routine scans of standard laptop locations and can be scheduled through existing device management or fleet tooling. A project profile focuses on specific repositories or workspaces, while a deep profile is intended for wide response sweeps during active security incidents. Each detection is traceable to a specific catalog entry, including when it was added and what evidence supports it.
The tool is positioned as a complement to SBOM and vulnerability scanners that cover repositories and build artifacts, and to endpoint inventory products that track installed applications. Bumblebee runs at the developer laptop layer and tells security teams whether a given machine has a particular package, version, editor extension, browser extension, or MCP configuration installed when a supply-chain advisory emerges.
Perplexity highlights that existing open-source tools tend to cover only one or two surfaces, whereas Bumblebee targets four. It reviews language package managers such as npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer, as well as AI agent configs via MCP. It also inspects editor extensions for VS Code-family editors, including VS Code, Cursor, Windsurf, and VSCodium, alongside browser extensions across Chromium-based browsers like Chrome, Comet, Edge, Brave, Arc, and Firefox.
A central design choice is that Bumblebee operates in a strictly read-only fashion. It reads metadata such as lockfiles, manifests, and installed package metadata directly, and avoids running install scripts, invoking package managers, reading application source files, or performing process and network monitoring. Perplexity argues this approach reduces the risk that scanning itself could trigger malicious behavior, noting that npm packages can contain postinstall scripts used in recent supply-chain worms and that a scanner invoking npm could inadvertently execute the very code it seeks to detect.
By open-sourcing Bumblebee, Perplexity aims to let security teams download the tool, point it at their own catalogs of problematic versions, and plug the resulting findings into whatever incident response or remediation workflows they already use. The company presents Bumblebee as one component within a larger security stack that combines automated threat tracking with human review and endpoint-level scanning across developer environments.
Read Article: Sitharaman Flags Fuel, Fertiliser and Forex Risks Amid Escalating Gulf Crisis

