Actually, the package connections in this case, had already been changed to point to production, in preparation for deployment; but to answer your question, I'm not afraid as the ability to run the package in production is secured and I am not seeing any vulnerability at that level. My goal with this post was simply to validate through the community whether or not this issue should be considered a significant concern and secondly, to garner advice on how to prevent it, as I'm sure my auditors are going spot that the object creation date precedes the change request approval date and after reading my documented explanation, they are likely to ask... What did I do in order to prevent unauthorized users from installing DTS packages to production servers in the future?