Does anyone have any statistics on how long a compromised package has been in the wild on average?