Clasp: A four-stage supply-chain attack pattern via emergency patches
CLASP is a four-stage supply-chain attack that exploits emergency patching to rapidly deploy malware, with the patch itself acting as a diversion rather than the payload. The attack relies on dormant malicious code already merged into a codebase, which is activated after defenders apply a legitimate High/Critical CVE patch. The rise of AI models like Mythos and GPT-5.4-Cyber has accelerated vulnerability discovery and overwhelmed maintainers, making such attacks more feasible.
- ▪CLASP involves four stages: supply-chain compromise, legitimate CVE disclosure, emergency patching, and attacker-controlled payload detonation.
- ▪The malicious code is already in the codebase before the patch; the patch rush causes defenders to deploy it themselves.
- ▪AI models like Mythos and GPT-5.4-Cyber have enabled on-demand discovery of trigger vulnerabilities, increasing the risk of such attacks.
- ▪Over 99% of high/critical vulnerabilities identified by Mythos remain unpatched, creating a large attack surface.
- ▪Organizations are advised to maintain physical offline backups and conduct bare-metal recovery exercises to prepare for compromise.
Opening excerpt (first ~120 words) tap to expand
Security Advisory · v1.0 The CLASP Attack Organizations with the best patching processes are most vulnerable to CLASP and will be the first systems compromised. Chained Leveraged Attack on Supply Patching (CLASP) is a novel supply-chain attack pattern that weaponizes emergency patching for rapid global exploit deployment with minimal review or testing. The patch is the diversion, not the payload. The malicious code was already merged into the codebase, and the patch is forcing defenders to deploy it at speed. Disclosed 04/13/2026 · Published 04/23/2026 This has been made much easier with the release (and leaking) of Mythos and GPT-5.4-Cyber models.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Clasp.
Discussion
0 commentsMore from Clasp
