A problem was identified in February with the camlp5 7.03 package when installed via opam. Under certain circumstances, it is possible for the package removal instructions to execute
rm -rf / with potentially
devastating consequences for your files if your
rm command is non-GNU (and so doesn’t support the
--preserve-root default option) which includes macOS and other BSDs.
Initially, this was seen non-fatally on GNU/Linux systems and it was believed to have been successfully patched on 18 Feb with only a 48 hour window for problems for anyone who updated opam between 16 and 18 Feb and then hadn’t updated since, however we failed to take upgrading the system
compiler into account. If you haven’t updated opam since 18 Feb 2018, have camlp5 installed in your system switch and upgrade your system compiler to OCaml 4.06.1 using your OS package manager, then your system is at risk from this issue.
Full details, including advice for restoring your system to safety, are
available at https://opam.ocaml.org/blog/camlp5-system/
Most regrettably, several users have been hit by this issue. This issue affects opam 1.x only - if you have been testing the opam 2 release candidate then your system is not affected (but we still recommend you run
opam update regularly). opam 2 Release Candidate 2 includes sandboxing which would prevent this kind of issue in future.