Perplexity Built a Tool That Checks Your Computer for Infected Software-Without Setting Off the Infection

Perplexity has open-sourced a security tool called Bumblebee that scans developer computers for infected software packages, malicious browser extensions, and compromised AI tool configurations — without ever running the code it finds. It is, in the cybersecurity world, the equivalent of checking a bottle for poison without drinking from it.

The release comes less than two weeks after a hacker group called TeamPCP slipped malicious code into over 160 software packages used by millions of developers worldwide, including packages from Mistral AI, UiPath, and a widely used React tool with 12 million weekly downloads. That attack spread automatically the moment developers installed the affected packages, before anyone could notice anything was wrong.

Bumblebee could have prevented that, Perplexity says. And its approach represents a genuine shift in how security tools can work.

## Why Read-Only Scanning Matters

Software packages in the JavaScript and Python ecosystems can run hidden scripts the moment you install them. That is exactly how the May 11 TeamPCP attack spread so fast. The malicious code fired automatically on install, executing before any human or automated system could review it.

Most security scanners work by invoking the package manager to check what is installed. The problem: invoking the package manager can trigger those same installation scripts. You go looking for the worm; the worm runs.

Bumblebee sidesteps this entirely. It never calls any package manager. Instead, it reads raw metadata files — the records that describe what is installed — without touching the software itself. Think of it as reading the ingredient label instead of eating the food.

This is not a theoretical advantage. In the TeamPCP attack, the malicious packages executed their payload during the npm install process. Any scanner that triggered an npm check would have activated the same malicious code. Bumblebee’s read-only approach means it can identify suspicious packages without giving them the execution context they need to run.

## The MCP Configuration Gap

The genuinely novel feature of Bumblebee is that it also scans MCP (Model Context Protocol) configuration files — the local files that tell AI assistants like Claude, Cursor, and Copilot which external services they are allowed to connect to.

MCP is the protocol that gives AI tools access to emails, databases, calendars, file systems, and code repositories. It is how your AI assistant can read your inbox or search your codebase. But if an attacker sneaks a malicious connector into that configuration, your AI assistant could leak credentials or run unauthorized commands in the background — and you would never know.

Most security tools are not checking for this yet. MCP is relatively new, and the security ecosystem around it is immature. Bumblebee is one of the first tools to treat MCP configuration as an attack surface, scanning for connectors that point to suspicious endpoints, request excessive permissions, or match known malicious patterns.

Beyond MCP, Bumblebee covers browser extensions on Chrome, Firefox, and Brave. Malicious browser extensions are one of the most underappreciated attack vectors in consumer and enterprise security. They can read every page you visit, intercept form submissions (including passwords), and inject content. Bumblebee checks extensions against known malware databases and flags those requesting suspicious permissions.

## The Supply Chain Attack Problem Is Getting Worse

The TeamPCP attack was not an isolated incident. It was part of a accelerating trend of supply chain attacks targeting the software development ecosystem.

In 2024, the XZ Utils backdoor was discovered in a widely used Linux compression tool after a Microsoft engineer noticed unusual latency in SSH connections. The backdoor had been inserted over months by a contributor who had built trust over years. It affected virtually every major Linux distribution.

In 2023, the 3AM ransomware group used malicious npm packages to target developers. In 2022, the LuaDNS attack compromised a DNS provider through a poisoned dependency. The pattern is consistent: attackers target the trust relationships in software development because compromising one package can compromise millions of downstream users.

The scale of the problem is staggering. The npm registry alone hosts over 2 million packages, with JavaScript developers installing billions of packages weekly. PyPI (Python) and crates.io (Rust) face similar scale. No human can audit this volume. Automated tools that trigger the code they are trying to inspect are not just ineffective — they are dangerous.

## What This Means For You

Whether you are a developer, a manager, or someone who uses a computer for work, supply chain security affects you.

**If you are a developer, run Bumblebee now.** It is free, open-source, and takes minutes. It checks your installed packages, browser extensions, and MCP configs without executing anything. The TeamPCP attack affected millions. Your machine may be compromised and you would not know it.

**Check your MCP configuration regularly.** If you use AI coding assistants like Claude, Cursor, or Copilot, you are granting them access to your most sensitive systems. Review which connectors are authorized, remove any you do not recognize, and treat MCP permissions with the same caution you would apply to OAuth grants.

**Audit your browser extensions.** Delete any extension you have not used in 30 days. Check the permissions requested by the ones you keep. A weather extension does not need access to all website data. A PDF viewer does not need to read your browsing history. When in doubt, remove it.

**Treat package installations as security events.** Every npm install or pip install is an act of trust. Use lockfiles to pin versions. Verify package names carefully — typosquatting (packages named similarly to popular ones) remains a primary attack vector. Consider using npm audit and Snyk in addition to Bumblebee.

**If you manage a team, make supply chain security a sprint task, not a quarterly afterthought.** The cost of a supply chain compromise is orders of magnitude higher than the cost of prevention. A single compromised dependency can expose your entire codebase, your CI/CD pipeline, and your production infrastructure.