Perplexity Launches Open-Source Bumblebee Scanner for 4 Developer Surfaces

4 articles · Updated · ZDNet · May 28

Bumblebee is available now as an open-source Go project for macOS and Linux, letting security teams scan developer laptops for exact matches to risky packages, extensions and AI tool configurations.
The tool is designed as read-only: it inspects lockfiles, manifests and installed-package metadata without running package managers or install scripts, avoiding the postinstall-style attacks it is meant to detect.
Perplexity says Bumblebee covers 4 surfaces at once—language package managers, MCP AI agent configs, VS Code-family editor extensions and Chromium- or Firefox-based browser extensions—rather than focusing on code repositories or runtime behavior.
Teams can use Perplexity's GitHub threat-intelligence catalogs or their own JSON catalogs, then run baseline, project or deep incident-response scans and feed findings into existing security workflows.
Perplexity positions Bumblebee as a laptop-level inventory probe, distinct from tools like Chainguard that harden containers, pipelines and shipped artifacts later in the software supply chain.

As AI-driven attacks like the Axios hack grow, can a free scanner truly shield developers from state-sponsored threats?

With attackers now targeting laptops, is the industry's focus on securing code repositories and pipelines fundamentally flawed?