\n<\/p>\n
<\/div> Follow ZDNET: <\/em>Add us as a favorite source<\/span><\/a><\/span> On Google.<\/em><\/p>\n If you’re a programmer, you’re painfully aware that your software supply chain has been inundated with successful malicious attacks. These attacks include Axios NPM Package Agreement<\/a>The PyPI LiteLLM AI attack<\/a>and this canistersprowl npm attack<\/a>. <\/p>\n What should a programmer do when he can’t trust even the basic elements of his program? Well, there are several approaches, and the latest comes from distress<\/a>. <\/p>\n According to AI company, bumblebee<\/a> is a “read-only scanner that we use to check developer machines for risky packages, extensions, and AI tool configurations during supply-chain incidents.” The company said in its announcement that the program is “one of the internal tools used to protect systems by Perplexity, the developer behind Comet and Computer.”<\/p>\n Also: How I get my business emails through spam filters with SPF, DKIM, and DMARC<\/strong><\/p>\n This tool is designed to answer the first question that comes to your mind after a new supply-chain advisory: Have any of our programmers installed this thing? <\/p>\n Bumblebee runs on MacOS and Linux developer machines Now available as an open-source Go project<\/a>. You can plug the tool’s results into any security system you’re already using.<\/p>\n Instead of targeting code or runtime behavior, Bumblebee focuses on four specific surfaces. Perplexity claimed that existing open-source tools cover one or two of these surfaces, while Bumblebee can handle all four at once:<\/p>\n Also: Patching Treadmill: Why traditional application security is no longer enough<\/strong><\/p>\n In other words, this tool is for people who run JavaScript\/TypeScript, Python, Go, Ruby, and PHP; Programmers experimenting with AI MCP configurations; and developers living inside VS Code\u2011style editors and Chromium\u2011style browsers.<\/p>\n Bumblebee is part of a larger internal workflow, which Perplexity outlines as follows:<\/p>\n You don’t need to use Perplexity’s JSON Catalog; You can now get Bumblebee up and running with your catalog and review process. Each identity is “traceable, showing which catalog entry initiated the filing, when it was added, and any evidence,” Perplexity said.<\/p>\n You can access the open-source Bumblebee Catalog on GitHub. You’ll find it in the threat_intel\/ directory, which “holds an exposure catalog built from public threat-intelligence reporting on recent supply-chain campaigns.” Each file in that directory is a catalog in standard JSON format (schema_version + entries). The README there explains the current catalog listing and review guidance. To use the catalog, you clone the repo and pass that directory to the scanner. For more information about that step, see Bumblebee’s Threat Intelligence Exposure Catalog<\/a>.<\/p>\n Too: <\/strong>Best VPN Services: Expert Tested and Recommended<\/strong><\/p>\n Alternatively, you can create your own Bumblebee catalog as a simple JSON file, which lists exact matches of the at-risk components important to you, such as ecosystem, package name, and affected version. Bumblebee then compares the local machine inventory with that catalog and only matches exactly (ecosystem, name, version), so the catalog is intentionally narrow and deterministic.<\/p>\n The scanner supports three profiles that very clearly map the way developers and security teams think about scope:<\/p>\n Perplexity puts this tool at the “developer surface” level: the software bill of materials (SBOM) and the vulnerability scanner handle the repository and build artifacts. Endpoint inventory products cover installed applications. Bumblebee runs on developer laptops. The main output is: “This tells you whether a specific package, version, extension, or MCP configuration is installed on that machine when the supply-chain advisor arrives.”<\/p>\n The company emphasizes “read-only” as a security property, not just an implementation detail. In their words, “Bumblebee is read-only. It reads metadata files directly and never allows potentially compromised tooling to run, which prevents scans from becoming a risk.” He added: “Making Bumblebee read-only helps avoid problems with install-time code execution.”<\/p>\n Too: <\/strong>5 ways to strengthen your network against the new pace of AI attacks<\/strong><\/p>\n The post directly called for npm\u2011style postinstall attacks: “NPM packages can carry postinstall scripts that automatically run when exposed to npm install. This is how most recent supply\u2011chain bugs have spread.” The warning for developer-side scanners is clear: “A scanner that invokes npm to check for exposure has already triggered the attack it seeks.”<\/p>\n Perplexity said, Bumblebee’s safety is guaranteed by what he refuses to do:<\/p>\n Designed this way, Bumblebee is not trying to replace endpoint detection tools or build-time scanners. This is a targeted inventory check focused on specific metadata that detects when a particular programmer’s PC is using vulnerable code.<\/p>\nZDNET Highlights<\/h3>\n
\n
Security question Bumblebee is designed to answer<\/h2>\n
\n
How Bumblebee integrates into your internal workflow <\/h2>\n
\n
\n
Read-only avoids risky scans<\/h2>\n
\n