Perplexity Launches Bumblebee: A Challenge to Chainguard
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
Perplexity recently introduced Bumblebee, a new security tool aimed at developers. This open-source scanner seeks to address a crucial question in the supply chain domain: have developers installed malware on their machines?
An Open-Source Tool Without AI
Bumblebee stands out for its open-source nature and does not require artificial intelligence or a subscription. It has been designed to identify potential vulnerabilities on developers' laptops. Recent supply chain attacks, such as those involving the npm package Axios, the LiteLLM attack on PyPI, and the assault on npm CanisterSprawl, have highlighted the importance of such tools.
Key Features
Bumblebee is a read-only scanner designed to examine developers' machines for risky packages, extensions, and AI tool configurations. It operates on MacOS and Linux and is developed in Go. Rather than targeting code or runtime behavior, Bumblebee focuses on four specific areas:
- Language package managers: npm, pnpm, Yarn, Bun, PyPI, Go modules, RubyGems, and Composer
- AI agent configurations: Model Context Protocol (MCP)
- Editor extensions: VS Code family (VS Code, Cursor, Windsurf, VSCodium)
- Browser extensions: Chromium family (Chrome, Comet, Edge, Brave, Arc) and Firefox
Integration into the Workflow
Bumblebee integrates into a broader internal workflow. When a threat signal is identified through public disclosures, third-party information feeds, or internal research, Perplexity updates a catalog and submits a pull request (PR) on GitHub. After human review, the PR is merged, and Bumblebee runs with the updated catalog. The results are then shared with the security team. Users can also customize Bumblebee with their own catalogs and review processes. Each detection is traceable, indicating which catalog entry triggered the submission, when it was added, and any associated evidence.
Security and Read-Only
Perplexity emphasizes that Bumblebee is read-only, meaning it only reads metadata files without executing potentially compromised tools. This reduces the risk of attacks, as Bumblebee never runs installation scripts or lifecycle hooks. It does not read the source files of applications but focuses on metadata such as lock files and manifests.
Comparison with Chainguard
Bumblebee operates earlier in the development lifecycle than Chainguard, which focuses on hardening containers and pipelines. Bumblebee directly checks developers' machines for risks related to packages, extensions, and MCP configurations. As a free and open-source tool licensed under Apache 2.0, Bumblebee is accessible to a wide range of developers.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.