Bumblebee: Perplexity's Supply Chain Scanner, 2026

Bumblebee: Perplexity's Free Scanner for the Supply Chain Attacks Hitting npm in 2026

Bumblebee: Perplexity's Free Scanner for the Supply Chain Attacks Hitting npm in 2026

In March 2026, a single compromised maintainer account turned axios — a library downloaded roughly 100 million times a week and sitting underneath more than 174,000 dependent packages — into a malware delivery system. For about three hours, anyone who ran a fresh npm install pulled a cross-platform remote access trojan straight into their build. Nobody clicked a phishing link. Nobody made a mistake. They just installed a dependency, the way every developer does dozens of times a day.

That's the defining shape of the software supply chain threat in 2026: the attack doesn't target you, it targets something you already trust. According to Sonatype's 2026 State of the Software Supply Chain report, more than 454,600 new malicious open-source packages were identified in 2025 alone, pushing the cumulative total blocked past 1.233 million — a 75% jump year over year. In response, Perplexity open-sourced Bumblebee, a free, read-only scanner that checks whether any of that mess has already landed on your machine.

This article covers how bad the npm threat landscape actually got in 2026, what Bumblebee does differently from existing security tools, how to run it in under five minutes, and why its coverage of MCP configs and editor extensions matters specifically for teams building with AI agents.

The Scale of the Problem in 2026

The numbers alone would be alarming, but the specific incidents this year show how fast and how targeted these attacks have become. Per Microsoft's Security Blog and Unit 42's tracking, three incidents defined the year:

Over 99% of open-source malware is found on npm specifically, and the entry point is almost always the same: credential theft, usually via phishing emails impersonating npm itself, capturing a maintainer's password and — when 2FA is weak or missing — their publishing token. Researchers describe the Shai-Hulud worm, a self-replicating malware strain that automated the compromise and redistribution of malicious packages, as the moment npm attacks graduated from a nuisance into a high-consequence threat category.

npm itself is finally responding at the platform level. According to the GitHub Changelog, npm v12 ships in July 2026 and blocks preinstall, install, and postinstall scripts by default — the exact mechanism that let a compromised axios release execute arbitrary code the moment someone ran npm install. The same release also blocks resolving Git dependencies and remote tarball URLs unless a project explicitly opts in. It's a significant fix, but as NodeSource points out, it only closes one execution path — it does nothing for a package whose actual published code, not its install script, is malicious. That's precisely the gap a read-only metadata scanner like Bumblebee is built to catch instead.

Server racks in a data center representing infrastructure at risk

What Bumblebee Actually Does

Perplexity's announcement describes Bumblebee as a read-only developer endpoint scanner: it checks your on-disk package metadata, editor extensions, and MCP configurations against a database of known-compromised releases, without executing anything. Released under Apache 2.0 in May 2026 and detailed in MarkTechPost's writeup, it ships as a single static Go binary with zero non-stdlib dependencies — a deliberate choice given that the tool exists specifically to check for compromised dependencies, so it can't itself rely on any.

The coverage is broad: eight package ecosystems (npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, Composer), plus MCP server configs, editor extensions for VS Code, Cursor, Windsurf, and VSCodium, and Chromium/Firefox browser extensions. Per Developers Digest's guide, the design principle is stated explicitly in the project's own documentation: "never execute anything that is not read directly by Go." Bumblebee never runs npm install, pip list, bun pm ls, or composer show — it reads lockfiles and metadata directly, never touches your source code, and makes no network calls during the scan itself.

Scan profile What it covers Typical use case
Baseline Global/user package roots, language toolchains, editor + browser extensions, MCP configs Routine health check on a dev machine
Project Configured directories like ~/code or ~/src Scanning a specific repo or workspace
Deep Operator-supplied roots, often a bare home directory Active incident response

How to Run It

Bumblebee is designed to be run without ceremony — no config file required for a first pass, and no risk of it modifying anything since it never executes code.

# Install and run a baseline scan (macOS/Linux, Go 1.25+ toolchain)
go install github.com/perplexityai/bumblebee@latest
bumblebee scan --profile baseline

# Scan a specific project directory after a suspicious install
bumblebee scan --profile project --path ~/code/my-app

# Deep scan during active incident response
bumblebee scan --profile deep --path ~

Because it's read-only and makes no network calls mid-scan, it's safe to run on production build servers and CI runners as a periodic check, not just on personal developer laptops.

Why MCP and Editor Extension Coverage Matters Right Now

The part of Bumblebee's scope that's easy to skip past is the MCP config and editor extension scanning — but it's arguably the most forward-looking piece. As AI coding agents have become standard tooling, MCP servers and editor extensions have quietly become a new, largely unmonitored supply chain surface: a malicious or compromised MCP server can read your codebase, environment variables, and credentials with the same trust level as the AI assistant itself, and most teams have no equivalent of npm audit for that layer yet.

The Mastra AI compromise is the clearest illustration of why this matters — it wasn't a random utility library, it was the most popular AI-agent framework on npm, meaning the compromise specifically targeted teams building agentic tooling. As that category of software becomes as central to development workflows as HTTP clients and test runners already are, treating it as an unaudited blind spot is the exact gap Bumblebee was built to close.

This is also why the tool's scope extends past just package.json and requirements.txt. A compromised VS Code or Cursor extension can intercept keystrokes and exfiltrate source code directly from the editor, bypassing package-manager-level defenses entirely — including the install-script blocking that npm v12 just shipped. Scanning editor extensions and MCP configs alongside traditional package manifests reflects a realistic picture of where an AI-assisted developer's trust actually extends today, not just where it extended five years ago.

Frequently Asked Questions

What is Bumblebee? Bumblebee is a free, open-source, read-only scanner released by Perplexity in May 2026 that checks a developer machine's installed packages, editor extensions, and MCP configurations against a database of known software supply-chain compromises.

Does Bumblebee execute any code on my machine? No. Its core design principle is to never execute anything that isn't read directly by the Go binary itself — it doesn't run npm install, pip list, or any package manager command, and it makes no network calls during a scan.

Which package ecosystems does it cover? Eight ecosystems: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer, plus MCP server configs and browser/editor extensions for Chrome, Firefox, VS Code, Cursor, Windsurf, and VSCodium.

Why did Perplexity build this instead of a security vendor? Perplexity's own engineering teams face the same npm-scale supply chain risk as everyone else, and open-sourcing a lightweight, dependency-free scanner under Apache 2.0 makes it usable by any team without a procurement process or vendor relationship.

How big is the npm supply chain problem, really? Sonatype counted more than 454,600 new malicious open-source packages in 2025 alone, pushing its cumulative blocked total past 1.233 million — a 75% increase year over year — with over 99% of that malware appearing on npm specifically.

Conclusion

The axios, Red Hat, and Mastra AI incidents this year weren't edge cases — they were three data points in a curve that's been accelerating since the Shai-Hulud worm ended what researchers call the "nuisance era" of npm attacks. Bumblebee doesn't stop a compromised package from being published, but it closes the much more common gap: most teams have no fast way to check whether they've already installed one.

Running a five-minute read-only scan across your dev machines and CI runners is a low-cost habit against a threat that, at this point, has hit some of the most trusted names in the JavaScript and AI-agent ecosystems. The tooling to check is free now — the only real excuse left is not running it.

Back to Blog