On servers, it picked up a few exploitable (but uninstalled) packages from our Debian mirror, and a few EICAR files. So, no actual threat averted.