AI coding agents and package managers are incredibly convenient, but they also introduce massive new vectors for supply-chain attacks. Earlier this week, the security and AI engineering teams at Perplexity open-sourced a fantastic new internal tool called Bumblebee. If you missed the announcement, Bumblebee is a wildly fast, read-only supply-chain scanner for developer endpoints.
Unlike traditional vulnerability scanners that run in your CI/CD pipeline, Bumblebee runs locally. It sweeps your local cache (npm, Go modules, PyPI, etc.), editor extensions, and even AI agent configs to see if you have any compromised packages sitting on your machine. And crucially, it’s strictly read-only—it parses lockfiles and manifests without ever executing sketchy postinstall scripts that could trigger a dormant payload.
The engineering behind Perplexity’s CLI is incredible. It’s a single Go binary that evaluates thousands of local packages in seconds and spits out highly detailed NDJSON records.
But as much as I love a good command-line interface, reading through a wall of raw JSON output to figure out the health of my local machine isn’t exactly my favorite way to spend an afternoon. I wanted a way to actually see what the scanner was doing, browse my inventory, and track my exposure over time without writing custom jq scripts.
So, I spent the last few days building a native desktop wrapper for it.
Today, I’m excited to share Bumblebee UI, an open-source graphical interface built right on top of Perplexity’s scanning engine.
What is Bumblebee UI?
To be clear: all the heavy lifting—the deterministic matching, the blazing-fast file parsing, the threat catalogs—is powered by Perplexity’s underlying bumblebee CLI. My project simply acts as a control center and visualizer, taking that raw data and turning it into an actionable, developer-friendly dashboard.
Here is what the wrapper adds to the experience:
1. The Dashboard
Instead of piping terminal outputs into a file, you get a clean, unified overview of your endpoint’s health. The dashboard visualizes the scan duration, exactly how many roots were verified, and immediately flags if any of your thousands of package records match a known exposure. You can trigger Baseline, Project, or Deep scans right from the UI.
2. Searchable Endpoint Inventory
The Perplexity scanner tracks an absurd amount of data—everything from your Go modules down to your VS Code extensions. The UI takes that output and builds a fully searchable, filterable Inventory table. If you want to know exactly where github.com/charmbracelet/bubbletea is cached on your hard drive and what version you are running, you can find it in seconds.
3. Visual Threat Intel Management
Bumblebee relies on dynamic JSON exposure catalogs to know what bad packages to look for. The UI includes a Threat Intel module that lets you visually manage these catalogs. You can hit a button to sync upstream from Perplexity’s GitHub catalog, or manually add your own custom JSON catalogs to sweep your local metadata for proprietary threats.
4. Scan History & Snapshots
Because the CLI is a one-shot scanner, tracking changes over time can be tough. The UI wrapper automatically logs and saves the results of your past runs in the History tab. This gives you point-in-time snapshots of your machine. If a new zero-day drops, you can look back and see exactly when a specific package environment changed on your machine.
5. Custom Themes (Because Why Not?)
I’m a firm believer that the tools we look at all day should be visually satisfying. I built a theme engine into the app so you can customize the aesthetic. Whether you prefer the high-contrast dark mode of Command, the hacker-vibe of Terminal, or a clean light interface like Daylight, you can make it match your workspace.
Try It Out
Securing the software supply chain is a massive challenge, and Perplexity did the community a huge solid by open-sourcing the core Bumblebee engine. I built this UI wrapper because I wanted to make that powerful engine as approachable and easy to use as possible for everyday developers.
It’s completely open-source, and you can grab the code (and the underlying binary setup instructions) over on my GitHub:
🔗 https://github.com/drmhse/bumblebee-ui
If you end up using it, I’d love to hear your feedback. Drop an issue or a PR if you have ideas for making it better. Happy scanning!
