Bumblebee is a free, open-source security tool that checks developer computers for compromised software packages, malicious browser extensions, and tampered AI connector configurations—all without executing any of the potentially infected code it examines.
Most security scanners work by invoking the very software they are inspecting, which can accidentally trigger the attacks they were designed to detect. Bumblebee takes a fundamentally different approach: it reads raw metadata files rather than running the code itself—examining the ingredient label, so to speak, instead of consuming the food.
Why "Read-Only" Is the Whole Point
Software packages—particularly in the JavaScript ecosystem—can execute hidden scripts the instant they are installed. That is precisely how a major supply-chain attack spread so rapidly on May 11, when a hacker group known as TeamPCP slipped malicious code into more than 160 software packages used by millions of developers worldwide. Affected packages included those from Mistral AI, UiPath, and a widely used React library with 12 million weekly downloads. The malicious code fired automatically upon installation, before anyone noticed anything was wrong.
A conventional scanner that calls a package manager to check for infections risks triggering those same hidden scripts—you go looking for the worm, and the worm runs. Bumblebee sidesteps this entirely by never invoking any package manager. Instead, it reads the raw metadata records that describe what is installed, without touching the software itself.
One genuinely novel aspect of the tool is its ability to scan MCP (Model Context Protocol) configuration files—the local files that tell AI assistants such as Claude or Cursor which external services they are permitted to connect to. MCP connectors can grant AI tools access to emails, databases, calendars, and source code. If an attacker manages to insert a malicious connector into that configuration, an AI assistant could silently leak credentials or execute unauthorized commands in the background. Most existing security tools are not yet scanning for this threat surface, making Bumblebee the first open-source scanner to treat MCP config files as a security concern.
Beyond MCP, Bumblebee covers browser extensions on Chrome, Edge, Brave, Arc, and Firefox, as well as editor plugins in VS Code and its forks. The entire scan runs in a single pass, produces a clean structured list of findings, and never modifies anything on the machine.
How Perplexity Uses It Internally
Perplexity has been running Bumblebee internally to protect the systems behind its search product, its Comet browser, and its Computer AI agent. When a new threat surfaces, Perplexity Computer drafts a catalog entry for it, a human reviews and approves it, and Bumblebee then runs across all developer machines to check for matches.
"Bumblebee started as an internal tool," the company noted in a statement. "Making Perplexity products more secure for users starts with protecting the developer systems we use to build them."
Teams can run their own threat catalogs in the same way. The tool ships with a built-in threat directory seeded from recent supply-chain attacks, including the May 11 campaign. The group behind that attack—tracked by Google under the alias UNC6780—has been running coordinated software-poisoning campaigns since at least March 2026.
Bumblebee is available free of charge under the Apache 2.0 license, meaning anyone can run it, modify it, improve it, or fork it without legal repercussions.
Why it matters
The read-only scanning approach is significant because many supply-chain attacks—including the May 11 campaign—are designed to execute automatically on installation or invocation, meaning a conventional scanner could itself become the trigger for the attack it is trying to detect.
MCP configuration files represent a relatively new and largely unmonitored attack surface: if tampered with, they can silently expose AI assistants to credentials, databases, and source code without any visible user action. Bumblebee is the first open-source tool to include this surface in its scope.
The Apache 2.0 license means security teams can adapt the threat catalog and scanning logic to their own environments without licensing restrictions, and can contribute detections back to the shared catalog.
