Issue #1375 represents a critical security vulnerability discovered in the Ruflo package manager that affected multiple versions and highlighted risks associated with obfuscated installation scripts. The vulnerability involved unauthorized directory deletion during the preinstall phase and prompted significant security improvements in subsequent releases.

The security issue affected Ruflo versions 3.1.0-alpha.55 through 3.5.2, where the preinstall script executed during package installation contained obfuscated code ¹⁾. The obfuscated preinstall script performed unauthorized operations, specifically deleting directories located in the ~/.npm/_npx/ directory without transparent user notification or consent.

This vulnerability represented a supply chain security risk, as users installing or updating affected versions of Ruflo could experience unexpected data loss in npm-related cache and executable directories. The obfuscation of the preinstall script prevented straightforward code review and made the malicious or problematic behavior difficult for security researchers and package maintainers to detect through standard inspection methods.

The affected version range spanned from early alpha releases (3.1.0-alpha.55) through stable versions up to 3.5.2, suggesting the vulnerability persisted across multiple development and release cycles. Users who installed or updated Ruflo within this version range during normal package management operations could have had npm-related directories deleted from their systems, potentially affecting:

* Cached npm executables and dependencies * Development environment configurations * Build tool chains relying on npm-based installations * Local package manager state and metadata

The directory deletion in ~/.npm/_npx/ specifically targeted npm's executable cache, which stores pre-built binaries and globally-installed tool scripts ²⁾.

The vulnerability was patched in Ruflo version 3.6.x and later, with developers implementing security-hardening measures to prevent similar issues. A key security improvement introduced in the patched versions was the 'ruflo verify' cryptographic verification command ³⁾, which provides users with cryptographic assurance regarding the integrity and safety of Ruflo installations.

The 'ruflo verify' command operates as a post-installation security check, allowing users to validate that their Ruflo installation has not been tampered with and that preinstall scripts have executed only authorized operations. This verification mechanism represents a defense-in-depth approach to supply chain security, complementing source code review and package signing processes.

Issue #1375 exemplifies preinstall script risks in package managers, where installation-phase code execution can perform privileged operations before user verification. The vulnerability highlighted the importance of:

* Script transparency: Making installation scripts human-readable and reviewable rather than obfuscated * Cryptographic verification: Implementing post-installation verification mechanisms to detect anomalies * Permission boundaries: Restricting preinstall script access to only necessary directories and operations * Supply chain auditing: Monitoring package updates for unexpected behavioral changes

The incident contributed to broader discussions about npm security practices and the need for enhanced verification mechanisms in JavaScript package ecosystems ⁴⁾.

• ADR-095: Architectural Gaps G1–G7
• Issue #1748: MCP Tool Description Ambiguity
• roman-rr April 2026 Audit