Security Advisory · v1.0

CLASP Attack Pattern

Chained Leveraged Attack on Supply Patching. A novel supply-chain attack pattern that weaponizes emergency patching.

Security disclosure by Brian Gallagher, a security and consulting expert with 45+ years of experience, published CVEs, member of incident-response teams at university and government teams, and an IOM National AI Advisory Board Member.

Disclosed 13-14 April 2026 (NCSC 140426-JWE · CERT/CC VRF#26-04-PMPYS · CISA · IOM CSC)
Published 22 April 2026

Organizations with the best patching cycles are most vulnerable to CLASP and will be the first systems compromised.

CLASP is an attack pattern that combines a successful supply-chain compromise with a legitimate high-severity vulnerability disclosure to force rapid, low-verification patch deployment at scale. It turns emergency patch discipline into a rapid distribution system for malware. There is no practical defense strategy, which warrants a shift in posture from pure defense to offline backup and accelerated recovery.

CLASP became materially more feasible in April 2026, when Anthropic Mythos released "on-demand vulnerability discovery," quickly followed by OpenAI GPT-5.4-Cyber the next week. We are releasing this disclosure earlier than planned due to the discovery of unauthorized Mythos access by actors outside of the original "Glasswing" limited release, and the immediate relevance of that leak to the CLASP attack pattern.

What Four-stage chain: dormant malware in a dependency + legitimate High/Critical CVE disclosed in the same or dependent package → forced emergency patching → defenders install the compromise themselves → detonation at attacker's chosen time.

Why now Mythos Preview (Anthropic, 7 April) and GPT-5.4-Cyber (OpenAI, 14 April) make trigger-CVE discovery feasible on demand. Mythos was accessed without authorization on day one. Over 99% of the thousands of high/critical vulnerabilities Mythos has surfaced remain unpatched, and more capable models from both labs are publicly anticipated within weeks.

Who is at risk Any organization with a patch workflow for open-source or vendor software. The most mature patching pipelines are most at risk.

Defense None. A successful supply-chain compromise will not be caught during a High/Critical patch release cycle. The malware will be brought into your systems.

This week Verify physical offline backups. Rehearse bare-metal recovery. Review dependency inventory. Brief IR team and verify insurer coverage.

Q&A

What is CLASP?

CLASP (Chained Leveraged Attack on Supply Patching) relies on combining two components:

Malware hidden in a supply-chain compromise of a popular dependency or application.
The legitimate disclosure of a separate High or Critical vulnerability in the same codebase, or in a codebase that has the compromised code as a dependency.

The chain works because emergency patch cycles collapse the verification windows that would otherwise catch the planted code. The forcing function is externally validated -- a real CVE, CISA directives, vendor urgency notices -- so defenders are both legally and operationally obligated to patch fast.

How does the attack chain actually work?

Compromise the supply chain. Dormant malicious code is planted in a widely-used dependency. It passes automated tests; it waits for activation.
Create urgency via legitimate disclosure. A real High/Critical CVE is disclosed in the same package or a dependent package. CISA directives follow. Patching becomes mandatory within hours.
Ride the patch rush. Defenders distribute the compromised code into production at speed. Mature patch pipelines deploy fastest; SLA language mandates it.
Detonate as desired. The payload can activate across all compromised environments at once -- saturating IR capacity, making external help unavailable, and leaving organizations reliant on internal teams. Alternatively, payloads can remain stealthily in place, to be used at the attacker's convenience. Or both: noisy detonation in one set of victims as cover for quiet persistence in another.

What amplifies CLASP?

The most valuable targets are legally or operationally obligated to patch fast, with mandated SLAs enforcing rapid deployment. Review periods compress to hours. The legitimate High/Critical vulnerability being real makes not patching not an option. The better an organization's patching discipline, the faster the compromise lands inside its perimeter.

Why is this newly viable in April 2026?

Two frontier labs shipped on-demand vulnerability discovery within eight days of each other this month. That created an unprecedented "exploits on demand" scenario for attackers with access to these models -- one that enables the pairing of a pre-planted supply-chain compromise with an accelerating legitimate vulnerability disclosure to rush the compromised code into production environments worldwide, in hours.

Anthropic's Claude Mythos Preview (7 April 2026) surfaced, in its initial evaluations:

A 27-year-old denial-of-service vulnerability in OpenBSD's TCP SACK implementation.
A 17-year-old unauthenticated root RCE in FreeBSD's NFS server (CVE-2026-4747).
A 16-year-old vulnerability in FFmpeg's H.264 codec.
271 vulnerabilities fixed in Firefox 150 from a single Mythos Preview evaluation -- in a codebase Mozilla had already scanned with Opus 4.6 two release cycles earlier, yielding the 22 bugs fixed in Firefox 148. (Mozilla, 21 April 2026)
Full control-flow hijack on ten separate, fully-patched targets in Anthropic's OSS-Fuzz benchmark.
"Thousands of additional high- and critical-severity vulnerabilities" across operating systems and browsers; over 99% remain unpatched.

OpenAI's GPT-5.4-Cyber launched 14 April 2026 with a $10M Cybersecurity Grant Program and a full roster of critical-infrastructure partners already onboarded: Bank of America, BlackRock, BNY, Citi, Cisco, Cloudflare, CrowdStrike, Goldman Sachs, iVerify, JPMorgan Chase, Morgan Stanley, NVIDIA, Oracle, Palo Alto Networks, SpecterOps, US Bank, and Zscaler. That program was not assembled in the seven days since Anthropic's announcement.

On 21 April 2026, Bloomberg reported that unauthorized actors had been accessing Mythos since the day of its announcement -- fourteen days of undetected use outside the "Glasswing" controlled-access program. Capability in this regime does not merely diffuse gradually via competitor releases; it leaks directly from the gated programs themselves, on day one. With more capable models publicly anticipated from both labs in the coming weeks, the window in which defenders can prepare shrinks with every release.

Has CLASP happened yet?

Not as far as we can find as of late April 2026. Every stage has happened separately (SolarWinds, xz utils, tj-actions, Axios npm package). Nobody has publicly described or executed this full strategy in our research. We are publishing now so the pattern is in defenders' threat models before it happens -- so that organizations can adapt their security posture from "pure defense" to "fast recovery," and ensure their offline backups are actually being managed properly.

Isn't this just SolarWinds with extra steps?

No. SolarWinds succeeded because organizations trusted an update channel. CLASP succeeds because organizations are legally, contractually, and operationally obligated to trust and act on it immediately.

SolarWinds relied on stealth, patience, and selective activation. CLASP replaces stealth with urgency -- an externally validated High/Critical disclosure that compels defenders themselves to deploy the compromise at speed. SolarWinds deliberately limited blast radius to avoid detection; CLASP can use simultaneous detonation, ongoing stealth, or a combination -- distracting IR capacity with one set of victims while maneuvering undetected within others. That shifts the outcome from espionage to systemic resilience failure.

Mozilla says Mythos's findings "could have been found by an elite human researcher". Doesn't that mean nothing has really changed?

Mozilla's exact words:

Encouragingly, we also haven't seen any bugs that couldn't have been found by an elite human researcher. Mozilla, Firefox 150 security release, 21 April 2026

This is not the reassurance it sounds like. What it actually proves is that "elite human researchers" have had, collectively, decades of focused attention on OpenBSD, FreeBSD, and FFmpeg -- including with the best available AI code-review tools -- and still did not find any of these bugs. The codebase swept for Firefox 148 by the best model then available still concealed 271 vulnerabilities that Mythos found in days. The exact scenario CLASP needs -- identify and exploit codebases on demand -- is now available. It is an arms race between attackers and defenders over these latent bugs, and attackers get to pick the timing.

Aren't Mythos and GPT-5.4-Cyber gated to verified defenders? Doesn't that contain the risk?

In practice, access controls reduce casual misuse but do not reliably prevent capability diffusion. Within two weeks of Mythos's announcement:

Vidoc Security Lab reproduced key Mythos findings using off-the-shelf public models (GPT-5.4, Claude Opus 4.6) through the opencode harness. (Vidoc, 14 April 2026.) Their assessment: the key building blocks are already accessible outside Glasswing, while reliable operationalization remains the real moat.
A Discord group accessed Mythos on day one. They guessed the model's URL from Anthropic's naming conventions and exploited shared credentials from a third-party contractor. Access ran for fourteen days before Bloomberg reported it -- Anthropic's own monitoring did not detect it.
The unauthorized users were not a nation-state. They were hobbyists. One source told Bloomberg they were interested in playing around with new models, not wreaking havoc -- this time.

Anthropic's statement: We're investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments.

If the most safety-conscious frontier lab in the world cannot keep its most dangerous model gated against curious hobbyists for more than a single day, the operational assumption must be that a sophisticated adversary can access it too.

Is the trigger CVE really that easy to find?

Yes, and it is easier than that: the attacker does not need to discover one. Anthropic has disclosed thousands of additional high- and critical-severity vulnerabilities, of which over 99% of the vulnerabilities we've found have not yet been patched.

That is a pre-stocked Stage 2 inventory sitting in public infrastructure right now. A CLASP attacker can choose a trigger off the shelf rather than manufacturing one.

Why can't defenders just verify patches before applying them?

If codebase maintainers have not found a supply-chain attack in their own codebase, defenders are not going to find it during an emergency patch cycle. The xz utils maintainers did not find a backdoor in their own codebase for two years. FFmpeg survived extensive automated testing with a hidden bug for sixteen. An emergency-patch review window is measured in hours.

Defenders also cannot leave a known High/Critical vulnerability unpatched. The published vulnerability is real. CISA is issuing directives. The patch is mandatory. The attacker knows this -- that is what makes CLASP work.

Traditional advice -- canary environments, reproducible builds, dependency pinning -- raises the bar for lazy attacks and is worth doing. It will not stop a well-planned CLASP.

What defenses exist against CLASP?

None. You are not going to find a successful supply-chain attack during a High/Critical patch release cycle. The malware will be brought into your systems.

This is why the posture shift matters. Prevention is not reliable; rapid, clean recovery is the only lever that actually works. See What should my organization do this week.

What about dependency pinning?

It stops Stage 3 if the unpatched version can stay in production. Stage 2 ensures that it cannot -- the urgency is externally validated, CISA is issuing directives, vulnerability scanners are lighting up, auditors are asking questions. Dependency pinning means nothing when operational and regulatory pressure forces the unpin.

What should my organization do this week?

Prevention is not a viable strategy. The posture shift is: assume compromise, optimize recovery.

Physical, offline backups. Not cloud snapshots an attacker with admin credentials can reach. Disconnected drives or tapes, rotated daily.
Disposable infrastructure. If bare-metal rebuild from air-gapped artefacts isn't possible today, the DR plan has holes.
Practice rebuilding quarterly. Annual DR exercises fail under pressure.
Plan for external help being unavailable. IR retainers and cloud-provider assistance will be saturated during a CLASP event.
Heightened monitoring after emergency updates. CPU, GPU, outbound traffic, for at least a week post-patch.
SBOM discipline. So exposure can be assessed in minutes, not days.
Map kill switches. "Turn everything off" is not a plan.
Verify insurer coverage. Does the policy cover simultaneous, AI-orchestrated ransomware across the entire infrastructure via a compromised supply-chain update?

What should the board be asking?

Do we have in-house expertise to recover if we are on our own? If the answer is uncertain, the rest of these questions are already answered.
How long would it take to rebuild our three most critical systems from air-gapped backups, on new hardware, without cloud assistance?
If our IR retainer and our primary cloud provider were both unavailable simultaneously, who is running the response?
Does our cyber insurance respond to a CLASP-class event, or carve it out under systemic/war exclusions?
When did we last rehearse recovery end-to-end, and did it work?
If a High/Critical CVE dropped today in our most widely-deployed dependency, could we verify the patch itself before applying -- or would SLA pressure push us to install whatever the vendor shipped?

Why publish this? Aren't you giving adversaries the playbook?

Nation-state actors think in chains. Every individual stage of CLASP has already happened. The AI capability that makes Stage 2 trivial has been publicly shipped by two independent frontier labs this month, and breached within 24 hours of the more restricted of the two.

The risk of organizations being unprepared materially outweighs the risk of giving sophisticated adversaries an idea they almost certainly already have. The people who need this warning are the defenders who don't.

Before publishing, this pattern was briefed to CISA, CERT/CC, NCSC, and IOM CSC. See Disclosure record.

Disclosure record

CLASP does not have a single vendor to notify -- the vulnerability is in the structure of emergency patching itself, not in a software package. Coordinated pre-publication briefings went to four national authorities before publication.

Authority	Reference	Date
CISA (US)	--	2026-04-13
CERT/CC	VRF#26-04-PMPYS	2026-04-13
NCSC (UK)	140426-JWE	2026-04-14
IOM CSC / OCSIA	--	2026-04-13

Disclosures to Anthropic and OpenAI are prepared and will be sent after NCSC's guidance on routing. The framing is not halt release -- unwinnable, and the capability is already broadly reproduced -- but factor this specific chain into threat modelling, red-team testing, and coordination with critical-infrastructure defenders.

Sources

Anthropic, Claude Mythos Preview, 7 April 2026. red.anthropic.com/2026/mythos-preview/
Bobby Holley, Mozilla, Firefox 150 Security Release, 21 April 2026. blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/
OpenAI, Trusted access for the next era of cyber defense, 14 April 2026. openai.com/index/scaling-trusted-access-for-cyber-defense/
OpenAI, Accelerating the cyber defense ecosystem that protects us all, 16 April 2026. openai.com/index/accelerating-cyber-defense-ecosystem/
Vidoc Security Lab, We reproduced Anthropic's Mythos findings with public models, 14 April 2026. blog.vidocsecurity.com
TechCrunch, Unauthorized group has gained access to Anthropic's exclusive cyber tool Mythos, 21 April 2026 (citing Bloomberg). techcrunch.com

Historical supply-chain references

SolarWinds (2020): CVE-2020-10148
Codecov (2021): CISA advisory (no CVE issued)
3CX (2023): CVE-2023-29059
xz utils (2024): CVE-2024-3094
tj-actions/changed-files (2025): CVE-2025-30066
Axios npm package (2026): CVE-2026-25639

About the author

Brian Gallagher is CEO of LEMA Logic. 45+ years in security and consulting, including CVE-2006-2042 and other responsibly-disclosed vulnerabilities to financial and security software vendors. Has served on university and governmental incident-response teams. National AI Advisory Board Member (Isle of Man). Open-source contributor and module maintainer on several platforms. Recently quoted in Forbes.

Contact: brian@lemalogic.com · Follow for updates on Pressure Tested.