A critical remote code execution vulnerability has been discovered in simple-git, an npm package with over 5 million weekly downloads. CVE-2026-28292, rated CVSS 9.8, allows RCE through a case-sensitivity bypass. If you use Node.js in production, stop reading this and go check your lockfiles.
This is the supply chain nightmare scenario: a critical RCE in a package so boring and fundamental that nobody thinks about it until it's everywhere. simple-git is in your CI/CD pipelines. It's in your deployment scripts. It's in your teammate's side project that somehow made it to production. It's probably in tools you use that you don't even realize depend on it.
The vulnerability exploits a case-sensitivity bypass, which is exactly the kind of subtle bug that's easy to introduce and hard to catch in review. Git is case-insensitive on some filesystems but case-sensitive on others. That inconsistency creates edge cases, and attackers love edge cases.
According to the security analysis, the RCE can be triggered through crafted input that bypasses input validation. The details are technical, but the impact is simple: if an attacker can control input to simple-git, they can potentially execute arbitrary code on your server.
What makes this particularly nasty is where simple-git typically runs: in automated systems processing untrusted input. CI/CD pipelines that automatically check out user-supplied branches. Deployment scripts that pull from repositories. Webhooks that trigger on repository events. All of these are potential attack vectors.
The 5+ million weekly downloads number tells you the scale of potential exposure. That's not 5 million unique applications—many of those downloads are the same app being deployed repeatedly. But it still represents a massive installed base across the JavaScript ecosystem.
This is also a reminder of the JavaScript dependency hell problem. Your application might not directly depend on simple-git, but some library you depend on might. Or some library that library depends on. Modern Node.js apps typically have hundreds or thousands of transitive dependencies. Auditing all of them is effectively impossible.
The fix is straightforward: update to the patched version. The challenge is finding everywhere is used. Check your package-lock.json or yarn.lock. Check your Docker images. Check your CI/CD runners. Check your developer workstations. This thing is .
