Perplexity Opens Bumblebee Scanner to Protect Developer Systems

Perplexity has released the source code for its internal security tool Bumblebee. This is a read-only scanner for development systems that helps identify vulnerabilities in the dependency chain without running any code or invoking package managers.

What is Bumblebee Bumblebee is an inventory collector tool for macOS and Linux operating systems.

Perplexity developed it specifically to protect its own development systems, where its AI search Comet and Computer agent operate. The tool works on a read-only principle: it analyzes already installed dependencies and extensions, but never runs their code. This is critical for security.

Many attacks on development systems occur during package installation or extension initialization. Malicious code can hide in scripts that run automatically when a module is first imported or when an extension loads. Thanks to the read-only approach, Bumblebee fully minimizes the risk of hidden malware triggering on a developer's machine.

The read-only approach is especially important because it allows scanning even potentially dangerous packages without fear. If the tool accidentally encounters malicious code, it won't run it — it will simply tell the developer that it detected a suspicious package.

What dependencies does

Bumblebee scan Bumblebee was developed as a universal scanner — it can analyze dependencies from different ecosystems and development tools. Here's the full range of what it supports: npm packages for Node.js ecosystem PyPI packages for Python and Pip Go modules and dependencies MCP (Model Context Protocol) configurations Browser extensions (Chrome, Firefox and others) Code editor plugins (VS Code, Sublime and others) Each of these vectors is constantly used in supply chain attacks. This is why Perplexity decided to open-source the tool — the company believes that other developers and organizations should have access to security tools.

Why supply chain security is critical

Supply chain attacks have become one of the most dangerous and insidious threats in 2024–2025. Instead of attacking the final product, cybercriminals often target the tools and libraries that thousands of companies and developers rely on. Specific examples have already occurred. A few years ago, a malicious version was injected into a popular npm package that silently collected data from developer machines. Or another well-known case — an image processing library contained hidden code that triggered a crypto miner on the developer's machine when the module was imported.

"Developer systems are the keys to the kingdom for any company.

If you compromise a developer's machine, you can gain access to source code, credentials, API tokens, deployment secrets, and much more," — this is a common point of view in the InfoSec community. This is exactly where Bumblebee helps. The tool is specifically designed to detect such risks early, long before a malicious dependency reaches a production server and starts causing real damage.

What this means

Perplexity's open-source tool demonstrates growing industry understanding: security of development systems is not an option, but a vital necessity. The tool allows any developer or company to regularly check what dependencies are installed in their system and identify potentially dangerous or outdated versions. For solo developers, this is a chance to find vulnerabilities in their own projects before they reach a public server.

For large companies, it's a tool for comprehensive DevOps infrastructure audits and security policy compliance checks. For security and DevOps teams — it's one of the building blocks in the foundation of defense against supply chain attacks. Essentially, Perplexity has shared a piece of its internal security with the developer community — and this is a good sign for the entire industry as a whole.