Wireshark release 4.6.5 fixes 43 vulnerabilities (38 CVEs) and 35 bugs.
This high number of fixes is due to AI:
“This release fixes quite a few vulnerabilities. This is due to to a recent trend in AI-assisted vulnerability reports.“
Didier Stevens
Senior handler
blog.DidierStevens.com
A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence.
The activity has been attributed to the GitHub account “BufferZoneCorp,” which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of writing, the packages have been yanked from RubyGems, and the Go modules have been blocked. The names of the libraries are listed below –
The identified packages masquerade as recognizable and well-known modules like activesupport-logger, devise-jwt, go-retryablehttp, grpc-client, and config-loader so as to evade detection and trick users into downloading them.
“The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems,” Socket security researcher Kirill Boychenko said in an analysis published today.
The Ruby gems are designed to automate credential theft during install time, harvesting environment variables, SSH keys, AWS secrets, .npmrc, .netrc, GitHub CLI configuration, and RubyGems credentials. The stolen data is then exfiltrated to an attacker-controlled Webhook[.]site endpoint.
On the other hand, the Go modules harbor broader capabilities to tamper with GitHub Actions workflows, plant fake Go wrappers, steal developer data, and add a hard-coded SSH public key to “~/.ssh/authorized_keys” for remote access to the compromised host. The modules do not all have the same payload; instead, they are spread across the cluster.
“The module executes through init(), detects GITHUB_ENV and GITHUB_PATH, sets HTTP_PROXY and HTTPS_PROXY, writes a fake go executable into a cache directory, and appends that directory to the workflow path so the wrapper is selected before the real binary,” Boychenko explained.
“That wrapper can then intercept or influence later go executions while still passing control to the legitimate binary to avoid breaking the job.”
Users who have installed the packages are advised to remove them from their systems, review for signs of access to sensitive files or unauthorized changes to “~/.ssh/authorized_keys,” rotate exposed credentials, and inspect network logs for outbound HTTPS traffic to the exfiltration point.
The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023.
Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023. The two defendants, who pleaded guilty to their crimes in December 2025, conspired with Angelo Martino, 41, of Florida, to conduct the attacks.
“The three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware and ALPHV/BlackCat’s extortion platform,” the DoJ said.
“All three men worked in the cybersecurity industry – meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.”
In one case, the defendants are said to have successfully extorted a victim for approximately $1.2 million in Bitcoin, splitting their 80% share three ways and subsequently laundering the funds to cover up the tracks.
Although the BlackCat ransomware-as-a-service (RaaS) scheme no longer exists, the group is estimated to have targeted the computer networks of more than 1,000 victims around the world.
The development comes a week after Martino pleaded guilty to the same crime, and is scheduled to be sentenced in July 2026. In addition, Martino is said to have abused his role as a negotiator to extract higher payouts from victims by sharing confidential information about their insurance policy limits with the BlackCat operators.
Martino and Martin worked for DigitalMint, while Goldberg was employed as an incident response manager for cybersecurity company Sygnia.
“These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “They used ransomware to lock down critical systems, steal sensitive data, and pressure American businesses into paying to regain access to their own information.”