Perplexity Open-Sources Bumblebee Security Tool

Imagine you suspect someone poisoned a bottle of water in your house. To check, you drink from every bottle. That's roughly how most security scanners work.

Perplexity just open-sourced a tool called Bumblebee that takes a different approach. It scans developer computers for infected software packages, malicious browser extensions, and compromised AI tool configs—without ever running the code it finds. It reads the code, the ingredient label instead of eating the food.

On May 11, a hacker group called TeamPCP slipped malicious code into over 160 software packages used by millions of developers worldwide—including packages from Mistral AI, UiPath, and a widely used React tool with 12 million weekly downloads. The attack spread automatically the moment developers installed those packages. Perplexity’s Bumblebee could have prevented that, the company says.

Why "read-only" is the whole point

Software packages—especially in the JavaScript world—can run hidden scripts the moment you install them. That's exactly how the May 11 attack spread so fast. The malicious code fired automatically on install, before anyone noticed anything was wrong.

A scanner that invokes the package manager to check for infections can trigger those same scripts. You go looking for the worm; the worm runs. Bumblebee sidesteps this by never calling any package manager at all. It reads raw metadata files—the records that describe what's installed—without touching the software itself.

The genuinely new piece is that Bumblebee also scans MCP configuration files—the local files that tell AI assistants like Claude or Cursor which external services they're allowed to connect to.

MCP connectors give AI tools access to emails, databases, calendars, and code. If an attacker sneaks a malicious connector into that config, your AI assistant could leak credentials or run unauthorized commands in the background. Most security tools aren't checking for this yet.

Beyond MCP, it covers browser extensions on Chrome, Edge, Brave, Arc, and Firefox, plus editor plugins in VS Code and its forks. The whole scan happens in one pass, outputs a clean structured list of what it found, and never modifies anything on the machine.

How Perplexity uses it internally

Perplexity has been running Bumblebee internally to protect the systems behind its search product, its Comet browser, and its Computer AI agent. When a new threat surfaces, Perplexity Computer drafts a catalog entry for it, a human reviews and approves it, and Bumblebee runs across all developer machines to check for matches.

Teams can run their own catalogs the same way. The tool ships with a built-in threat directory seeded from recent supply-chain attacks, including the May 11 campaign. The group behind that attack—tracked by Google under the alias UNC6780—has been running coordinated software poisoning campaigns since at least March 2026.