As https://www.npmjs.com/advisories/737 has shown, it can happen at any time that a package is identified to contain malicious code. If this package is used in production, we can find its usages quickly by checking the information gathered by the OSS and OWASP scan. Unfortunately, these reports do not list the devDependencies of the deployed services nor the dependencies of other stuff that is not deployed on production. This makes it a time-consuming task to identify all places where the malicious code could be used. Keep in mind that with NPM we have to handle the situation that packages use other packages use other packages and so on. This leads to the situation that a single malicious package could be pulled in as a dependency of another package. In this particular case, the malicious package was a transitive dependency of ~4000 packages. To find such a transitive dependency, it is not sufficient to look at the specified dependencies in the package.json files. Instead, the complete dependency tree must be built. I suggest to have a tool like http://pkgcheck.dxdev.ibm.com:3000/triggerlibraryoverview.html that answers the question if a package is used anywhere in WCH. The existing reports for production must remain, so we can answer the question if production was affected.