Security Advisory · v1.0

The CLASP Attack

Organizations with the best patching processes are most vulnerable to CLASP and will be the first systems compromised.

Chained Leveraged Attack on Supply Patching (CLASP) is a novel supply-chain attack pattern that weaponizes emergency patching for rapid global exploit deployment with minimal review or testing. The patch is the diversion, not the payload. The malicious code was already merged into the codebase, and the patch is forcing defenders to deploy it at speed.

Disclosed 04/13/2026 · Published 04/23/2026

This has been made much easier with the release (and leaking) of Mythos and GPT-5.4-Cyber models. The current situation requires a shift in security posture from "defensive" to "optimize recovery" -- prevention alone is no longer sufficient when exploits are available almost on demand and maintainer pipelines are overwhelmed by AI-surfaced bug submissions (up to 95% of them false positives, exhausting the package maintainers open source depends on). Manual offline backups and regular bare-metal recovery exercises should be considered a baseline security requirement to prevent online backups from being corrupted, encrypted, or deleted.

Security disclosure by Brian Gallagher, CEO of LEMA Logic.

Share Copy link

Editor's note: we are releasing this disclosure earlier than planned due to the discovery of unauthorized Mythos access by actors outside the original "Glasswing" limited release, and the immediate relevance of that leak to the CLASP attack pattern.

At a glance

What

Four-stage chain: dormant malware in an application or dependency + legitimate High/Critical CVE disclosed in the same or dependent package → forced emergency patching → defenders install the compromise themselves → detonation at attacker's chosen time.

Why now

Mythos Preview (Anthropic, 7 April) and GPT-5.4-Cyber (OpenAI, 14 April) make trigger-CVE discovery feasible on demand. Mythos was accessed without authorization on day one. Over 99% of the thousands of high/critical vulnerabilities Mythos has surfaced remain unpatched (Anthropic), and more capable models from both labs are publicly anticipated within weeks.

Defense

None. A successful supply-chain compromise will not be caught during a High/Critical patch release cycle. The malware will be brought into your systems.

Immediately

Verify physical offline backups. Rehearse bare-metal recovery. Review dependency inventory. Brief the incident response (IR) team and verify insurer coverage.

The CLASP Attack Chain

Four stages. Patching is Stage 3 -- the moment defenders themselves install the malware.

Stage 1: Compromise the supply chain

Dormant malicious code is planted in a widely-used package -- the carrier. Once merged into the main codebase, it remains dormant until Stage 4.

Stage 2: Create urgency via legitimate disclosure

A real High/Critical CVE is disclosed in a package that pulls the carrier into production. The disclosure takes one of three shapes:

The attacker can disclose the CVE themselves -- shrinking the window in which a maintainer, auditor, or AI scan could discover the Stage-1 malware -- or ride a CVE disclosed independently in the same ecosystem. CISA directives follow. Patching becomes mandatory within hours.

Stage 3: Ride the patch rush

Defenders distribute the compromised code into production at speed. Mature patch pipelines deploy fastest; SLA language mandates it.

Stage 4: Detonate on the attacker's schedule

The payload activates when and where the attacker chooses -- everywhere at once, selectively, or in waves, at a single time or staggered across multiple trigger events. Simultaneous detonation saturates IR capacity and strands organizations on internal resources. Stealthy activation preserves long-dwell access. Hybrid -- noisy in one set of victims, quiet persistence in another -- does both.

---

Q&A

• What is CLASP?
• Is this a new type of attack?
• What amplifies CLASP?
• Why is this newly viable in April 2026?
• Has CLASP happened yet?
• Isn't this just SolarWinds with extra steps?
• Doesn't Mozilla's "elite human researcher" line mean nothing's really changed?
• Aren't Mythos and GPT-5.4-Cyber gated to verified defenders?
• Is the trigger CVE really that easy to find?
• Why can't defenders just verify patches before applying them?
• What defenses exist against CLASP?
• What about dependency pinning?
• What should my organization do this week?
• What should my organization do this quarter?
• What should the board be asking?
• Why publish this now?

What is CLASP?

CLASP (Chained Leveraged Attack on Supply Patching) relies on combining two components:

1. Malware hidden in a supply-chain compromise of a popular dependency or application.
2. The legitimate disclosure of a separate High or Critical vulnerability in the same codebase, or in a codebase that has the compromised code as a dependency.

The chain works because emergency patch cycles collapse the verification windows that would otherwise catch the planted code. The forcing function is externally validated -- a real CVE, CISA directives, vendor urgency notices -- so defenders are both legally and operationally obligated to patch fast.

Is this a new type of attack?

No. Supply-chain attacks are well-documented (SolarWinds, xz utils, Axios). CVE-driven emergency patching is routine. What CLASP describes is a new form of delivering a supply-chain attack at speed and scale after the compromised code has already been pulled into the main codebase. The novel element is using a legitimate vulnerability disclosure as the forcing function to drive global deployment of pre-planted malware -- exploiting the very urgency that defenders rely on to stay safe.

Pressure Tested has a deeper analysis with more details, related history, etc.

What amplifies CLASP?

The most valuable targets are legally or operationally obligated to patch fast, with mandated SLAs enforcing rapid deployment. Review periods compress to hours. The legitimate High/Critical vulnerability being real makes not patching not an option. The better an organization's patching discipline, the faster the compromise lands inside its perimeter.

A second amplifier is the bugfix wave itself. AI-surfaced vulnerability reports have already overwhelmed maintainer review bandwidth to the point that major projects have withdrawn from open bug-bounty channels: curl ended its nine-year HackerOne bug-bounty program on January 31, 2026, citing "an explosion in AI slop reports" and a drop in the confirmed-vulnerability rate from above 15% to below 5%. Under the compressed review windows of emergency patching, the same legitimate-fix traffic provides cover for a patient attacker to slip a deliberately-planted backdoor into the same repository. The wave that cleans the installed base is, simultaneously, the most target-rich moment to plant the next generation of dormant compromises.

Why is this newly viable in April 2026?

Two frontier labs shipped on-demand vulnerability discovery within eight days of each other this month. That created an unprecedented "exploits on demand" scenario for attackers with access to these models -- one that enables the pairing of a pre-planted supply-chain compromise with an accelerating legitimate vulnerability disclosure to rush the compromised code into production environments worldwide, in hours.

Anthropic's Claude Mythos Preview (April 7, 2026) surfaced, in its initial evaluations:

• A 27-year-old denial-of-service vulnerability in OpenBSD's TCP SACK implementation.
• A 17-year-old unauthenticated root RCE in FreeBSD's NFS server (CVE-2026-4747).
• A 16-year-old vulnerability in FFmpeg's H.264 codec.
• 271 vulnerabilities fixed in Firefox 150 from a single Mythos Preview evaluation -- in a codebase Mozilla had already scanned with Opus 4.6 two release cycles earlier, yielding the 22 bugs fixed in Firefox 148. (Mozilla, April 21, 2026)
• Full control-flow hijack on ten separate, fully-patched targets in Anthropic's OSS-Fuzz benchmark.
• "Thousands of additional high- and critical-severity vulnerabilities" across operating systems and browsers; over 99% remain unpatched.

OpenAI's GPT-5.4-Cyber launched April 14, 2026 with a $10M Cybersecurity Grant Program and a full roster of critical-infrastructure partners already onboarded: Bank of America, BlackRock, BNY, Citi, Cisco, Cloudflare, CrowdStrike, Goldman Sachs, iVerify, JPMorgan Chase, Morgan Stanley, NVIDIA, Oracle, Palo Alto Networks, SpecterOps, US Bank, and Zscaler. That program was not assembled in the seven days since Anthropic's announcement.

On April 21, 2026, Bloomberg reported (paywalled; free summary: TechCrunch) that unauthorized actors had been accessing Mythos since the day of its announcement -- fourteen days of undetected use outside the "Glasswing" controlled-access program. Capability in this regime does not merely diffuse gradually via competitor releases; it leaks directly from the gated programs themselves, on day one. With more capable models publicly anticipated from both labs in the coming weeks, the window in which defenders can prepare shrinks with every release.

Longer analysis -- AI as accelerant, not prerequisite -- on Pressure Tested.

Has CLASP happened yet?

Not as far as we can find as of late April 2026. Every stage has happened separately (SolarWinds, xz utils, tj-actions, Axios npm package). Nobody has publicly described or executed this full strategy in our research. We are publishing now so the pattern is in defenders' threat models before it happens -- so that organizations can adapt their security posture from "pure defense" to "fast recovery," and ensure their offline backups are actually being managed properly.

Isn't this just SolarWinds with extra steps?

No. SolarWinds succeeded because organizations trusted an update channel. CLASP succeeds because organizations are legally, contractually, and operationally obligated to trust and act on it immediately.

SolarWinds relied on stealth, patience, and selective activation. CLASP replaces stealth with urgency -- an externally validated High/Critical disclosure that compels defenders to deploy the compromise themselves, at speed.

SolarWinds limited blast radius to avoid detection. CLASP gives the attacker a menu: simultaneous global detonation, stealthy selective activation, or hybrid -- at a single time or staggered across multiple triggers. The choice maps to intent. State and APT actors favor stealth for long-dwell espionage, holding damage triggers in reserve for critical systems during geopolitical conflict, or combining the two. Commercial ransomware crews have the opposite incentive: maximum simultaneous damage out of the gate, because extortion leverage scales with the number of victims on fire at once. Either way, the outcome shifts from espionage to systemic resilience failure.

Mozilla says Mythos's findings "could have been found by an elite human researcher". Doesn't that mean nothing has really changed?

Mozilla's exact words:

Encouragingly, we also haven't seen any bugs that couldn't have been found by an elite human researcher. Mozilla, Firefox 150 security release, April 21, 2026

This is not the reassurance it sounds like. What it actually proves is that "elite human researchers" have had, collectively, decades of focused attention on OpenBSD, FreeBSD, and FFmpeg -- including with the best available AI code-review tools -- and still did not find any of these bugs. The codebase swept for Firefox 148 by the best model then available still concealed 271 vulnerabilities that Mythos found in days. The exact scenario CLASP needs -- identify and exploit codebases on demand -- is now available. It is an arms race between attackers and defenders over these latent bugs, and attackers get to pick the timing.

Aren't Mythos and GPT-5.4-Cyber gated to verified defenders? Doesn't that contain the risk?

In practice, access controls reduce casual misuse but do not reliably prevent capability diffusion. The current gating is also a temporary exclusivity window: both labs have indicated broader availability once key partners finish their initial access periods, which means whatever doesn't leak out now will be generally available soon. And within two weeks of Mythos's announcement:

1. Vidoc Security Lab reproduced key Mythos findings using off-the-shelf public models (GPT-5.4, Claude Opus 4.6) through the opencode harness. (Vidoc, April 14, 2026.) Their assessment: the key building blocks are already accessible outside Glasswing, while reliable operationalization remains the real moat.
2. A Discord group accessed Mythos on day one. They guessed the model's URL from Anthropic's naming conventions and exploited shared credentials from a third-party contractor. Access ran for fourteen days before Bloomberg reported it (paywalled; free summary via TechCrunch) -- Anthropic's own monitoring did not detect it.
3. The unauthorized users were not a nation-state. They were hobbyists. One source told Bloomberg they were interested in playing around with new models, not wreaking havoc -- this time.

Anthropic's statement: We're investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments.

If the most safety-conscious frontier lab in the world cannot keep its most dangerous model gated against curious hobbyists for more than a single day, the operational assumption must be that a sophisticated adversary can access it too.

To be clear: this is not a critique of Anthropic or OpenAI. Their gating, Responsible Scaling commitments, and public disclosure of capability are exactly what make systemic threat modeling like CLASP possible to write. The risk is not in the labs -- it is in the assumption that capability gating alone can keep these tools out of adversary hands.

Is the trigger CVE really that easy to find?

The attacker doesn't have to find one. Anthropic and OpenAI have already surfaced thousands of new vulnerabilities, of which over 99% (per Anthropic) have not yet been patched. The pace of legitimate Critical CVE disclosures is about to accelerate sharply, and a CLASP attacker only needs to ride one of those waves.

Upcoming general-availability releases will make Mythos/Cyber-class capability available to any customer with access to the models, and open-source replications tend to follow quickly, making it available to anyone. The attackers will be able to use their own found vulnerabilities as well as the wave of patches coming from the rest of the developers.

Why can't defenders just verify patches before applying them?

Because the patch is the distribution and a diversion, not the attack. The malicious code is not in the patch itself -- it was merged into the upstream supply chain days, weeks, or months earlier, dormant and waiting for Stage 4 to be activated. The CVE and its patch are the delivery vehicle: it creates the operational (and maybe regulatory) urgency that forces defenders to pull the latest version into production at speed, with minimal review, at maximum reach.

And even if defenders tried to audit the full codebase during an emergency cycle, they would almost certainly fail. If the core maintainers have not found a supply-chain compromise in their own code, defenders are not going to find it in hours during an emergency update. The xz utils maintainers did not find the backdoor until five weeks after it had been merged into their development branch, by pure luck from someone not even working on the project directly. FFmpeg survived extensive automated testing with an unknown bug for sixteen years.

Defenders also cannot leave a known High/Critical vulnerability unpatched. The published vulnerability is real. CISA is issuing directives. SLAs need to be met. The patch is mandatory. The attacker knows this -- that is what makes CLASP work.

Traditional advice -- canary environments, reproducible builds, dependency pinning -- raises the bar for traditional attacks and is worth doing, but will not stop a well-planned CLASP attack.

What defenses exist against CLASP?

None. You are not going to find a successful supply-chain attack during a High/Critical patch release cycle. The malware will be brought into your systems.

This is why we need a shift in posture. Prevention is not going to be a reliable posture. We need to shift to a posture of rapid, clean recovery. See What should my organization do?

What about dependency pinning?

It stops Stage 3 if the unpatched version can stay in production. Stage 2 ensures that it cannot -- the urgency is externally validated, CISA is issuing directives, vulnerability scanners are lighting up, auditors are asking questions. Dependency pinning means nothing when operational and regulatory pressure forces the unpin.

What should my organization do this week?

Prevention is not a viable strategy against CLASP. The posture shift is: assume compromise, optimize recovery. This week is about audit, brief, and ask -- finding out what you actually have so the quarter-scale work can target the real gaps.

• Brief the IR team on CLASP. They need the threat model before the next emergency-patch cycle, not after.
• Verify insurer coverage. Email the broker. Does the policy cover a simultaneous, AI-orchestrated attack across the entire infrastructure via a compromised supply-chain update? Get the answer in writing.
• List the critical SaaS dependencies. Salesforce, GitHub, Okta, Stripe, Slack, others. Don't audit each yet -- just list them with criticality and data-loss exposure.
• Audit existing backups. Do offline backups exist where they're claimed to? When were they last tested? When was the last successful restore? "I'm not sure" is an answer.
• Map kill switches that already exist. "Turn everything off" is not a plan. List what you can actually shut down, who can authorize it, and how long it takes.
• Heightened monitoring on emergency updates. CPU, GPU, outbound traffic, for at least a week post-patch. Operational tweak; the SOC can do this now.

What should my organization do this quarter?

The this-week audit produces the gap list. This-quarter work funds and closes those gaps. Most of it is procurement, headcount, or architecture -- which means it cannot be done this week, and waiting for an incident to fund it is too late.

The outsourced-resilience problem. IR retainers, managed-detection services, cloud DR providers, and consulting firms are all shared resources. A CLASP-class event saturates all of them simultaneously -- which means outsourced resilience is a posture that fails exactly when it is most needed. Recovery capability has to live in-house, on staff, funded as a headcount line rather than a retainer line, before the event starts.

• Physical, offline backups. Not cloud snapshots an attacker with admin credentials can reach. Disconnected drives or tapes, rotated daily.
• SaaS dependencies -- full audit and backup tooling. For each critical SaaS platform identified this week: can the data be backed up in a form usable without the platform? Is it being backed up regularly? Is the backup offline where an attack cannot reach it? Can the business operate for a week or more if the platform is unavailable? Every "no" is a funded gap, not a hypothetical.
• Disposable infrastructure. If bare-metal rebuild from air-gapped artifacts isn't possible today, the DR plan has holes.
• Practice rebuilding, quarterly. Annual DR exercises fail under pressure.
• In-house recovery expertise as a budget line. Treat recovery headcount as non-negotiable, not as a retainer that can be cut in lean quarters. When external help is saturated, internal capability is what you have.
• Plan for external help being unavailable. IR retainers and cloud-provider assistance will be saturated during a CLASP event. Run a tabletop exercise with that constraint built in.
• SBOM discipline. So exposure can be assessed in minutes, not days.
• Build out the kill-switch gaps identified during the this-week audit.

What should the board be asking?

1. Is our resilience outsourced, and does our budget reflect the risk that is? IR retainers, managed-detection, and consulting firms are shared resources that will be saturated in a CLASP-class event. If recovery is a retainer line rather than a headcount line, we have adopted the riskiest possible posture. If we are uncertain whether in-house staff could recover without external help, the rest of these questions are already answered.
2. How long would it take to rebuild our three most critical systems from air-gapped backups, on new hardware, without cloud assistance?
3. If our IR retainer and our primary cloud provider were both unavailable simultaneously, who is running the response?
4. Does our cyber insurance respond to a CLASP-class event, or carve it out under systemic/war exclusions?
5. When did we last rehearse recovery end-to-end, and did it work?
6. If a High/Critical CVE dropped today in our most widely-deployed dependency, could we verify the patch itself before applying -- or would SLA pressure push us to install whatever the vendor shipped?
7. For each SaaS platform the business depends on: can we back up its critical data in a form usable without the platform? Are we doing it regularly? Is the backup offline? Can the business operate for a week if the platform is unavailable? Every "no" answer is a funded gap, not a hypothetical.

Why publish this now? Aren't you giving adversaries the playbook?

Nation-state actors think in chains. Every individual stage of CLASP has already happened. The AI capability that makes Stage 2 trivial has been publicly shipped by two independent frontier labs this month, and breached within 24 hours of the more restricted of the two.

The risk of organizations being unprepared materially outweighs the risk of giving sophisticated adversaries an idea they almost certainly already have. The people who need this warning are the defenders who don't.

Before publishing, this pattern was briefed to CISA, CERT/CC, NCSC, and IOM CSC. See Disclosure record.

Disclosure record

CLASP does not have a single vendor to notify -- the vulnerability is in the structure of emergency patching itself, not in a software package. Coordinated pre-publication briefings went to four national authorities before publication.

Authority	Reference	Date
CISA (US)	--	04/13/2026
CERT/CC	VRF#26-04-PMPYS	04/13/2026
NCSC (UK)	140426-JWE	04/14/2026
IOM CSC / OCSIA	--	04/13/2026

Disclosures to Anthropic and OpenAI have been sent.

The framing is not halt releases -- that's not a reasonable expectation, and open-source models will likely catch up soon. The framing is to understand the speed and scale of the risk, and how to protect your data in the event that it happens.

Sources

1. Anthropic, Claude Mythos Preview, April 7, 2026. red.anthropic.com/2026/mythos-preview/
2. Bobby Holley, Mozilla, Firefox 150 Security Release, April 21, 2026. blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/
3. OpenAI, Trusted access for the next era of cyber defense, April 14, 2026. openai.com/index/scaling-trusted-access-for-cyber-defense/
4. OpenAI, Accelerating the cyber defense ecosystem that protects us all, April 16, 2026. openai.com/index/accelerating-cyber-defense-ecosystem/
5. Vidoc Security Lab, We reproduced Anthropic's Mythos findings with public models, April 14, 2026. blog.vidocsecurity.com
6. Rachel Metz, Bloomberg, Anthropic's Mythos Model Is Being Accessed by Unauthorized Users, April 21, 2026 (paywalled). bloomberg.com
7. TechCrunch, Unauthorized group has gained access to Anthropic's exclusive cyber tool Mythos, April 21, 2026 (free summary of the Bloomberg report). techcrunch.com
8. Daniel Stenberg, The end of the curl bug-bounty, January 26, 2026. daniel.haxx.se
9. Dave Liebenberg, Cisco Talos, Do not get high(jacked) off your own supply (chain), April 3, 2026. blog.talosintelligence.com
10. Sumit Dhawan, Proofpoint, The Patch Cycle Is No Longer the Security Clock, April 22, 2026. proofpoint.com
11. Wade Woolwine, Rapid7, AI is Changing Vulnerability Discovery and your Software Supply Chain Strategy has to Change with it, April 23, 2026. rapid7.com

Further reading

For extended analysis -- this is already unfolding; CLASP is one stage of it -- see Cybersecurity's 2026 Wild Ride on Pressure Tested.

Historical supply-chain references

• SolarWinds (2020): CVE-2020-10148
• Codecov (2021): CISA advisory (no CVE issued)
• 3CX (2023): CVE-2023-29059
• xz utils (2024): CVE-2024-3094
• tj-actions/changed-files (2025): CVE-2025-30066
• Axios npm package (2026): CVE-2026-25639

Acknowledgments

Thanks to Jeff Ames, CTO of Computer Network Defence Ltd, for peer review prior to publication.

About the author

Brian Gallagher is CEO of LEMA Logic. 45+ years in security and consulting, including CVE-2006-2042 and other responsibly-disclosed vulnerabilities to financial and security software vendors. Has served on university and governmental incident-response teams. Isle of Man's national AI Advisory Group (AIAG) member. Open-source contributor and module maintainer on several platforms. Recently quoted in Forbes.

Contact: brian@lemalogic.com · Follow for updates on Pressure Tested.