Top Recent GitHub Open‑Source Projects: Supply‑Chain Security, AI Coding, Satellite Simulation, Model Integration

Bumblebee – Supply‑Chain Attack Detection

Recent supply‑chain attacks on npm and PyPI have left security teams struggling to identify which developers have installed compromised packages. Bumblebee, an open‑source read‑only inventory scanner from Perplexity, addresses this by scanning lock files and metadata across multiple ecosystems without executing package‑manager commands.

What It Scans

npm family: package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock PyPI: dist-info/METADATA, egg-info Go: go.sum, go.mod RubyGems: Gemfile.lock, installed gemspecs

Composer: composer.lock, installed.json Editor extensions: VS Code, Cursor, Windsurf, VSCodium extension lists

Browser extensions: Chromium and Firefox configurations

MCP configs: JSON files from Claude Desktop, Cline, Gemini CLI, etc.

All supported sources are listed in docs/inventory-sources.md. Bumblebee offers three scan profiles:

baseline : scans global package manager roots, language toolchains, editor and browser extensions, and MCP configs; suitable for cron jobs.

project : scans a specified development directory (e.g., <sub>/code); ideal for periodic inventory of known workspaces.

deep : scans any path (including $HOME) with the --exposure-catalog flag for urgent investigations.

Baseline and project modes cannot scan bare $HOME directories; only deep mode can.

Alert List Integration

Bumblebee can ingest a JSON‑formatted alert catalog; matching packages generate findings that include ecosystem, package name, version, project path, source file, confidence score, and host metadata for downstream aggregation.

{
  "schema_version": "0.1.0",
  "entries": [
    {
      "id": "advisory-2026-0042",
      "name": "example-pkg 1.2.3 (compromised release)",
      "ecosystem": "npm",
      "package": "example-pkg",
      "versions": ["1.2.3"],
      "severity": "critical"
    }
  ]
}

Findings are emitted as NDJSON lines, each ending with a scan_summary record. The tool runs as a single‑file static binary compiled with Go 1.25+, requiring no external dependencies.

go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest
bumblebee scan --profile baseline > inventory.ndjson
bumblebee scan --profile project --root "$HOME/code" --root "$HOME/Developer"
bumblebee scan --profile deep --root "$HOME" --exposure-catalog ./catalog.json --max-duration 10m

Limitations: macOS/Linux only, requires Go 1.25+, parses only JSON MCP configs, and confidence scores are high/medium/low without precise version data for all sources.

GitHub: perplexityai/bumblebee · 3,100+ ★ · Go · Apache 2.0

GSD Redux – Managing Claude Code Context Windows

Long AI‑coding sessions suffer from context bloat, causing quality degradation. GSD (Get Shit Done) introduces a lightweight meta‑prompt and context‑engineering system that offloads heavy work to independent sub‑agents, each limited to ~200 k tokens, keeping the main window at 30‑40% occupancy.

Why It’s Needed

Context inflation : long sessions fill the window; GSD splits work into separate sub‑contexts.

No shared memory : AI loses state across sessions; GSD maintains structured docs ( PROJECT.md, REQUIREMENTS.md, ROADMAP.md, STATE.md) that are loaded at each new session.

No verification : runnable code isn’t guaranteed correct; GSD’s /gsd-verify-work step walks each feature and auto‑generates fix suggestions.

Six‑Step Loop

The core workflow consists of six single‑purpose commands: /gsd-new-project: questionnaire‑driven research that produces requirement and roadmap docs. /gsd-map-codebase: analyzes existing code structure. /gsd-discuss-phase 1: refines design decisions (API, error handling, data structures) via dialogue. /gsd-plan-phase 1: iterates research → plan → verification in a new context window. /gsd-execute-phase 1: splits the plan into parallel tasks, each executed in its own 200 k‑token context, producing clean git history. /gsd-verify-work 1: runs automated functional checks and generates diagnostic reports with fix proposals.

Final tagging commands ( /gsd-ship 1, /gsd-complete-milestone, /gsd-new-milestone) archive the phase and start the next.

Applicable Scenarios

Individual developers or small teams tackling medium‑to‑large AI‑assisted projects.

Engineering efforts that require cross‑session continuity.

Codebases where quality matters and “write‑and‑forget” is unacceptable.

Supported Runtimes

Claude Code, OpenCode, Gemini CLI, Kilo, Codex, Copilot, Cursor, Windsurf, and about 15 other runtimes.

Installation (choose runtime and global/local mode): npx @opengsd/get-shit-done‑redux@latest Key configurable parameters (in .planning/config.json) include: mode: interactive (step‑by‑step) or yolo (auto‑approve). Model profiles: quality, balanced, budget to select models per agent. parallelization.enabled: toggle parallel execution of independent plans. code_quality.fallow: optional static structural analysis (requires the fallow tool).

Community Background

The original GSD upstream was compromised by a meme‑coin rug‑pull in May 2026; the community migrated development to open-gsd/get-shit-done-redux, performed a security audit, added multilingual docs, and renamed the package namespace to @opengsd/*. The old package is deprecated.

Limitations

Requires external permissions for AI runtimes (e.g., Claude Code needs --dangerously-skip-permissions).

Non‑Claude runtimes cannot copy files directly to config directories; npm‑based conversion is required.

Node.js/npm‑less environments (e.g., Windows + OpenCode) need manual installation paths.

GitHub: open-gsd/get-shit-done-redux · 1,000+ ★ · JavaScript · MIT

SmartNode – Satellite Communication Simulation

SmartNode lowers the barrier to satellite‑communication simulation to a simple git clone and a few commands.

What It Does

Visualizes real‑time satellite orbits, ground‑station coverage, and relay links in 3D.

Allows users to submit data‑return tasks and observe scheduling.

Enables adjustment of ground‑station or low‑orbit satellite counts to study throughput effects.

Displays live resource utilization and system status.

Technical Architecture

The backend is a Flask (Python) REST API; the frontend is a pure‑JavaScript 3D viewer. All APIs are public and require no authentication.

Core simulation logic resides in core.py, which handles the model, configuration management, and scheduling engine. The frontend polls the API to refresh the 3D scene.

Quick Start

git clone https://github.com/Tong89/smartNode.git
cd smartNode
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python backend/app.py

Then open http://127.0.0.1:5000/frontend/ in a browser. Windows users can run run_server.bat.

API Overview

GET /api/health

– health check. GET /api/data – fetch simulation state. GET /api/system_info – system configuration. GET /api/resource_status – status of satellites, ground stations, relays. GET /api/resource_utilization – utilization statistics. POST /api/request – submit a data‑return task. POST /api/update ground stations – adjust ground‑station count. POST /api/update leo satellites – adjust low‑orbit satellite count.

Who It’s For

Anyone interested in satellite networking fundamentals.

Researchers or educators needing a visual demo.

Hobbyists wanting to extend the framework.

Limitations

Designed for local teaching demos; public deployment requires adding authentication, rate‑limiting, and access control.

GitHub: Tong89/smartNode · 1,000+ ★ · Python · MIT

codex‑shim – Route Any Large Model Through Codex Desktop

Codex Desktop’s built‑in model selector is limited to a few providers. codex‑shim solves this by running a lightweight local HTTP proxy that intercepts Codex requests and forwards them to any configured backend model.

How It Works

The shim is a single‑process Python/aiohttp server exposing an OpenAI‑compatible endpoint at 127.0.0.1:8765. After pointing Codex’s API URL to this endpoint, the shim:

Routes the request to the selected backend (OpenAI, Anthropic, generic OpenAI‑style, or ChatGPT Codex passthrough).

Translates the backend response back into Codex’s expected format.

Handles function calls, tool outputs, reasoning blocks, and streaming SSE uniformly.

It has been tested with Codex Desktop 0.133.0‑alpha.1 (macOS arm64).

Core Value

Model choice freedom : use any purchased large model without rebuilding Codex.

Native experience retained : all Codex features (agent loops, function calls, shell metadata) work unchanged.

ChatGPT passthrough : route Codex requests to ChatGPT’s Codex backend, saving billed tokens (anecdotal).

Proxy‑friendly architecture : additional local proxies can be chained for deduplication or policy routing.

Installation & Configuration

git clone https://github.com/0xSero/codex-shim ~/codex-shim
cd ~/codex-shim
python3 -m pip install --user -e .

Configure models in ~/.codex-shim/models.json:

{
  "models": [
    {
      "id": "claude-sonnet-4",
      "name": "Claude Sonnet 4",
      "provider": "anthropic",
      "model": "claude-sonnet-4-20250514",
      "apiKey": "sk-ant-..."
    }
  ]
}

Start the shim and Codex Desktop:

codex-shim generate codex-shim start codex-shim app .   # launch Codex with shim

Common commands: codex-shim list – show configured models. codex-shim status – check shim health. codex-shim disable – revert to Codex’s original configuration.

Cross‑Platform Compatibility

macOS (Intel & Apple Silicon) – full support.

Windows native (PowerShell/cmd) – supported with Python 3.11+.

Linux – supported.

WSL & Git Bash – supported.

Limitations

Requires Python 3.11+.

macOS Desktop picker patch is optional and needed only when Codex hides custom model entry.

Windows Store/MSIX versions may rewrite custom model slugs (e.g., gpt-5.5), affecting UI but not routing.

System‑level proxies on Windows need NO_PROXY for 127.0.0.1.

No official benchmark script; performance data are anecdotal.

GitHub: 0xSero/codex-shim · 635 ★ · Python · MIT

Overall Trend

These four projects illustrate a growing developer desire for control over their toolchains: security teams seek transparent asset inventories, AI‑coding users demand fine‑grained context management, satellite enthusiasts want locally runnable simulations, and developers want to plug any large model into their AI assistants. Empowering users with choice appears to be the emerging default configuration.