That doesn’t sound very bad. Malicious deb can also include malicious files and/or malicious maintainer scripts as per discussion on github link above.
This doesn’t need any change from me. Builds currently by default always with APT packages.debian.org as up to date as Debian provides them. No more frozen packages.debian.org for now. In other words, if you build 2 weeks ago, then it uses Debian packages.debian.org from two weeks ago. If you build today, it uses Debian packages.debian.org from today.
What would need me to push upgrades is deb.whonix.org and deb.torproject.org (download and re-upload to deb.whonix.org).
Related, latest tester-only release:
Whonix VirtualBox 15.0.1.3.4 - Testers Wanted!