Briefing
Supply chain attacks on AI tooling keep climbing, and Perplexity has answered with Bumblebee, an open-source scanner that checks a developer's machine for known-compromised packages across the AI stack. It launched at version 0.1.1, so it's early, but the scope is already worth a look.
Analysis
Here's the problem Perplexity is trying to solve. A modern AI project doesn't pull code from one place. It pulls from npm, PyPI, MCP servers, VS Code extensions, browser extensions, and half a dozen other registries. Every one of those is a door someone can walk through. Over the past year, attackers have figured that out, and they've started slipping malicious packages into the places developers least expect.
Bumblebee's pitch is simple: it tells you whether the machines your team codes on are carrying any packages that are already known to be compromised. It doesn't hunt for new vulnerabilities. It checks what's installed against lists of things security teams already know are bad.
Perplexity built it for its own use first. According to the company, the same scanner now helps protect the systems behind Perplexity Search, the Comet browser, and the Computer agent (MarkTechPost). Open-sourcing it means any team can run the same check, which is the part that should interest Australian businesses with developers on staff.
The Supply Chain Problem
A modern AI project pulls code from dozens of sources: npm packages for web interfaces, PyPI libraries for model serving, MCP servers for tool integration, VS Code extensions for development, and browser extensions for user interfaces. Each dependency is a way in for an attacker.
Bumblebee takes a different angle from a typical project scanner. Rather than walking one project's dependency tree, it looks at the developer's machine itself, the global package roots, toolchains, editor and browser extensions, and MCP configs, and reports which endpoints are carrying packages that match a known-compromised list (perplexityai/bumblebee). The point is to find which developer laptops are at risk, not to audit a single folder.
What's Scanned
Bumblebee covers a wide spread of ecosystems. The confirmed coverage runs broader than the five categories below, it also reaches Go modules, RubyGems, Composer, Homebrew, and agent skills, and the package managers include pnpm, Yarn, and Bun alongside npm (perplexityai/bumblebee).
npm packages: The original release notes described checks for known CVEs, suspicious post-install scripts, and excessive permission requests. That framing appears to be inaccurate. Bumblebee does no CVE scanning of its own; security teams supply their own catalogs of known-compromised packages to match against, and the tool never runs package managers or executes install scripts (MarkTechPost).
PyPI libraries: Claims that Bumblebee detects typosquatting, malicious setup.py patterns, and dependency-confusion vulnerabilities are unconfirmed and look to be off the mark. What the documentation describes is read-only inventory of PyPI package metadata, matched against known-compromise catalogs, not heuristic analysis of package contents (perplexityai/bumblebee).
MCP servers: Bumblebee inventories MCP configs and manifests. Reports of live server validation against known-good configurations are unconfirmed; the tool reads the config inventory rather than checking running servers (perplexityai/bumblebee).
VS Code extensions: Editor extensions are in scope, and not just VS Code, Cursor, Windsurf, and VSCodium are covered too. The detailed permission-and-publisher review described in early write-ups is unconfirmed; what's documented is read-only inventory.
Browser extensions: Chromium and Firefox extensions are inventoried. The claim of active malicious-code-pattern analysis is unconfirmed; again, the tool reads what's installed rather than analysing extension code.
How It Works
Bumblebee runs as a CLI tool, and it's written in Go, so you install it with go install rather than through npm. Earlier coverage described an npx @perplexity/bumblebee command, but that's wrong, there is no npm package by that name. The real install pulls the Go binary from the repository:
go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest
bumblebee scan --profile baselineProfiles control how deep the scan goes (baseline, project, and deep). It runs read-only on macOS and Linux, which is a deliberate choice, read-only means it won't accidentally trigger a harmful script while it's looking around (MarkTechPost).
You'll see claims that a typical scan finishes in under 30 seconds, with local caching and incremental updates. Those numbers are unverified, no primary or secondary source backs them up, so treat them as unconfirmed until Perplexity or independent testing pins down real figures.
Early but Promising
At v0.1.1, Bumblebee is an early release, and the version number says as much. (The repo has since moved to v0.1.2.) There's been talk of a roadmap covering SBOM generation, licence compliance checking, and integration with GitHub Advanced Security, but none of that is confirmed. No published roadmap of those items turned up in the repo or in reporting, so treat it as rumoured rather than planned.
Why This Matters
As AI tooling chains get more tangled, the attack surface grows with them. A compromised npm package or a malicious VS Code extension can expose API keys, training data, or model weights. Bumblebee gives you a way to ask a blunt question, are any of my developers' machines carrying packages we already know are bad?, and get an answer without running anything risky.
Perplexity open-sourcing the tool fits a wider shift: supply chain security is something the whole industry has to share, not solve in private. If you have developers, adding an endpoint scanner like Bumblebee to your security routine is a sensible move. Just go in with clear eyes about what it does, it's a known-compromise matcher for developer machines, not a full vulnerability scanner for your project's dependency tree. The tool lives at perplexityai/bumblebee under Apache 2.0.