brace-expansion is a very popular npm package with over 38 billion all-time downloads (yeah, over 38,000,000,000) and used by tooling almost every JavaScript project relies on - eslint, glob, and npm itself. Despite being in the public eye for a while, we found a new Denial-of-Service vulnerability that could affect millions. This post walks through what the package does, existing issues that were fixed, and the new one we found - CVE-2026-13149.