Perplexity launched Bumblebee, an open-source read-only scanner that checks developer machines for risky packages, extensions, and AI tool configurations during supply-chain incidents. The Go-based tool runs on macOS and Linux under the Apache 2.0 license, free and without requiring a subscription. Bumblebee covers four surfaces in one pass: language package managers (npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer), AI agent configs using Model Context Protocol, VS Code-family editor extensions, and Chromium-family and Firefox browser extensions. The scanner reads metadata files directly and never executes package managers or install scripts, avoiding the postinstall-script attack vector behind recent supply-chain worms. Perplexity uses it internally to protect the developer systems behind Perplexity, Comet, and Computer.
