Imagine you suspect someone poisoned a bottle of water in your house. To check, you drink from every bottle. That's roughly how most security scanners work.
Perplexity just open-sourced a tool called Bumblebee that takes a different approach. It scans developer computers for infected software packages, malicious browser extensions, and compromised AI tool configs—without ever running the code it finds. It reads the code, the ingredient label instead of eating the food.
On May 11, a hacker group called TeamPCP slipped malicious code into over 160 software packages used by millions of developers worldwide—including packages from Mistral AI, UiPath, and a widely used React tool with 12 million weekly downloads. The attack spread automatically the moment developers installed those packages. Perplexity’s Bumblebee could have prevented that, the company says.
Why "read-only" is the whole point
Software packages—especially in the JavaScript world—can run hidden scripts the moment you install them. That's exactly how the May 11 attack spread so fast. The malicious code fired automatically on install, before anyone noticed anything was wrong.
A scanner that invokes the package manager to check for infections can trigger those same scripts. You go looking for the worm; the worm runs. Bumblebee sidesteps this by never calling any package manager at all. It reads raw metadata files—the records that describe what's installed—without touching the software itself.
The genuinely new piece is that Bumblebee also scans MCP configuration files—the local files that tell AI assistants like Claude or Cursor which external services they're allowed to connect to.
MCP connectors give AI tools access to emails, databases, calendars, and code. If an attacker sneaks a malicious connector into that config, your AI assistant could leak credentials or run unauthorized commands in the background. Most security tools aren't checking for this yet.
Beyond MCP, it covers browser extensions on Chrome, Edge, Brave, Arc, and Firefox, plus editor plugins in VS Code and its forks. The whole scan happens in one pass, outputs a clean structured list of what it found, and never modifies anything on the machine.
How Perplexity uses it internally
Perplexity has been running Bumblebee internally to protect the systems behind its search product, its Comet browser, and its Computer AI agent. When a new threat surfaces, Perplexity Computer drafts a catalog entry for it, a human reviews and approves it, and Bumblebee runs across all developer machines to check for matches.
Teams can run their own catalogs the same way. The tool ships with a built-in threat directory seeded from recent supply-chain attacks, including the May 11 campaign. The group behind that attack—tracked by Google under the alias UNC6780—has been running coordinated software poisoning campaigns since at least March 2026.
Bumblebee is available free at github.com/perplexityai/bumblebee under Apache 2.0, which means you can run it, tweak it, improve it and fork it without legal repercussions.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
