while (<DATA>){
  while ($_ =~/(^|\W)CPAN(\W)/gi){
  print substr($`,length($`)-10) . $& . substr($',0,10) . "\n";
  }
}
__DATA__
To my great surprise, when I traced it out I found two CPAN modules (so far) that we use are also tainted in this way: Printer and Math::MatrixReal.  I have sent mail to the maintainers of these modules pointing out the issue.  It makes me wonder how many other CPAN modules are tainted with "naughty match variables".