Perplexity’s Bumblebee: The Free Security Scanner Every Developer Needs Right Now

On May 11, 2026, a hacker group called UNC6780 (also tracked as TeamPCP by Google) poisoned over 160 software packages. React tools, Mistral AI packages, UiPath libraries — packages with millions of weekly downloads. The malicious code ran automatically on install. Before anyone ran a scan, the damage was already done.

A week later, Perplexity open-sourced Bumblebee — an internal security tool they’d been using to protect their own developer machines. It’s free, it’s read-only, and it scans surfaces that most other security tools don’t touch: MCP config files.

If you’re a developer with npm packages, VS Code extensions, a Chrome extension or two, and an AI assistant wired into your local machine — this is worth fifteen minutes of your time.

What Is Bumblebee?

Bumblebee is a read-only security scanner for macOS and Linux, written entirely in Go with zero external dependencies. Perplexity built it internally to protect the developer systems behind their search product, Comet browser, and Computer agent. Now it’s open-source under Apache 2.0.

The core job is narrow: when a security advisory lands naming a specific vulnerable package or extension, Bumblebee tells you which machines in your organization have it installed right now. Not what’s running in production — what’s sitting on developer laptops. That gap is where most supply-chain attacks live.

What It Scans

• Package ecosystems: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer
• Editor extensions: VS Code, Cursor, Windsurf
• Browser extensions: Chromium-based browsers and Firefox
• MCP configuration files: Claude Desktop, Cline, Gemini CLI, and other AI assistant configs

That last one is new territory. As far as Perplexity knows, Bumblebee is the first open-source scanner to treat MCP configs as a security surface. More on why that matters in a moment.

The Problem It Actually Solves

Here’s the uncomfortable thing about traditional security scanners: some of them are vulnerable to the exact attacks they’re meant to catch.

When malicious code is baked into a package’s install scripts, a scanner that invokes the package manager to check for infections can trigger those scripts. You go looking for the worm; the worm runs. Perplexity’s team described this directly when announcing Bumblebee.

Bumblebee avoids this entirely. It reads only metadata — lockfiles, manifests, extension manifests, MCP JSON configs. It never runs package managers, never executes install scripts, never touches lifecycle hooks. Single pass, structured output, no machine modifications.

“A scanner that invokes the package manager to check for infections can trigger those same scripts. You go looking for the worm; the worm runs.” — Perplexity team

Why the MCP Scanning Part Actually Matters

If you’ve been setting up AI assistants locally — Claude Desktop, Cline in VS Code, Gemini CLI — you’ve probably configured MCP servers. These are the local JSON files that tell your AI assistant which external services it can connect to: databases, calendars, email, code repositories.

MCP crossed 97 million monthly SDK downloads in 2026. A lot of developers are wiring AI assistants directly into sensitive environments. The security implications of that haven’t fully caught up yet.

If an attacker slips a malicious connector into your MCP config — through a compromised package or a poisoned tool — your AI assistant can leak credentials or run unauthorized commands in the background without you noticing. Bumblebee scans those config files directly and flags anything that matches known threat patterns.

Most EDR tools and vulnerability scanners don’t look here at all. This is a blind spot that Bumblebee addresses before most security vendors have acknowledged it exists.

How to Install and Run It

You need Go 1.25 or later. Installation is a single command:

go install github.com/perplexityai/bumblebee@latest

Run a self-test to confirm everything is working:

bumblebee selftest

Bumblebee ships with three scan profiles depending on what you need:

Baseline — Daily Inventory

Scans global/user package roots, language toolchains, editor extensions, browser extensions, and MCP configs. Runs in 5–15 seconds. Good for scheduled scans via cron or launchd.

bumblebee scan --profile baseline > daily-inventory.ndjson

Project — Active Development

Scans configured development directories like ~/code, ~/src, or ~/work. Useful if you want recurring inventory on packages tied to specific projects.

bumblebee scan --profile project \
  --root "$HOME/code" \
  --root "$HOME/work" > project-inventory.ndjson

Deep — Incident Response

For when something has already gone wrong and you need to check everywhere. Broader surface area, longer scan time, meant for active investigation rather than routine checks.

Output is structured NDJSON. Teams can pipe it into whatever logging or alerting infrastructure they already use, or just review the output directly.

The Threat Intel Side

The repository ships with a threat_intel/ directory — maintained catalogs of known-bad packages, extensions, and MCP connectors built from public campaign reporting. You can use Perplexity’s catalog, add to it, or replace it entirely with your organization’s own threat data.

For organizations already using Perplexity’s Computer agent, Bumblebee can integrate directly — triggering deeper scans automatically when new supply-chain risks surface. That’s a fairly slick workflow if you’re already in that ecosystem.

Who This Is Actually For

Bumblebee is built for security engineers and DevSecOps teams managing developer fleets. The value is clearest during supply-chain incidents, where the question isn’t “are we secure in production?” but “which of our 40 developer laptops has this specific package version installed right now?”

That said — if you’re a solo developer with a messy local environment, AI assistants configured through MCP, and no real security tooling beyond your firewall, running a baseline scan once a week costs you nothing. The install takes two minutes. The scan takes fifteen seconds.

The May 11 attack hit packages with 12 million weekly downloads. Someone who maintains those packages had to deal with that. The question is how fast you’d know if one of those packages was sitting on your machine.

One Thing Worth Watching

Open-sourcing internal security tooling is unusual for an AI company at Perplexity’s scale. Most labs treat security infrastructure as competitive advantage and keep it internal. Whether this is genuine contribution to the developer community or a positioning play in the growing conversation about AI agent security — probably a bit of both, honestly.

Either way, the tool works, it’s Apache 2.0, and the read-only design is the right call for this problem. More interesting to me is what it signals about MCP security becoming a real concern. We’re at the point where AI agents are being wired into production environments fast enough that the attack surface is expanding faster than anyone is auditing it. Bumblebee is an early answer to that. There will be more.

Repository: github.com/perplexityai/bumblebee