Perplexity launches Bumblebee scanner for macOS and Linux developer machines

• Perplexity said its launch post open-sourced Bumblebee as a read-only scanner for macOS and Linux developer machines, aimed at risky packages, extensions, and AI tool configs.
• According to AlphaSignalAI's breakdown, Bumblebee reads lockfiles directly and covers more than eight package ecosystems, plus MCP server configs and browser and editor extension manifests.
• The same AlphaSignalAI thread says the first release ships three scan modes, baseline, project, and deep, as a single static Go binary with no non-stdlib dependencies.
• Perplexity also said in its thread that Bumblebee can connect to Computer so new supply-chain indicators can trigger deeper scans on demand.

You can jump straight to the GitHub repo, and Perplexity's launch thread is unusually explicit about the target: developer laptops, not production hosts. AlphaSignalAI's inventory adds the useful implementation detail, including direct lockfile parsing, MCP config coverage, and the three scan modes that ship in the binary.

Perplexity positioned Bumblebee around a gap most security tooling does not cover. As the company announcement frames it, the scanner is meant for what is already sitting on developer machines, before a bad dependency or extension turns into a production problem.

That framing is sharper in AlphaSignalAI's writeup, which places Bumblebee between SBOM-style visibility into what shipped and EDR-style visibility into what executed. The product is read-only, so the initial value is inventory and exposure mapping rather than remediation.

AlphaSignalAI's breakdown lists four buckets Bumblebee reads:

• Lockfiles directly, rather than shelling out to ecosystem package managers.
• Package metadata across npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer.
• MCP server configs.
• Browser and editor extension manifests.

The MCP line is the part that makes this feel current. Package scanning is familiar security plumbing, but Perplexity's announcement explicitly extends the model to AI tool configuration on developer endpoints.

The first release ships three modes, baseline, project, and deep, according to AlphaSignalAI's scan-mode notes. The same post says Bumblebee is distributed as a single static Go binary and avoids non-stdlib dependencies, with a 1 ms self-test.

Those details matter because they describe how Perplexity built the scanner to be easy to drop onto workstations. The repo is Apache 2.0 licensed, and Perplexity's thread says the tool started as an internal system before being open-sourced.

The most specific product hook in Perplexity's launch post is the connection to Computer, which can trigger deeper scans when a new supply-chain risk emerges. That turns Bumblebee from a static workstation inventory into something that can be re-queried against fresh indicators of compromise without waiting for a malicious package to run first.