LEMA Logic CEO Discloses Novel Cyber Attack Pattern to International Agencies

LEMA Logic today announced that its CEO and co-founder, Brian Gallagher, has formally disclosed a novel supply chain cyber attack pattern to four national cybersecurity authorities, including the UK National Cyber Security Centre (NCSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), CERT/CC, and the Isle of Man Cyber Security Centre (IOM CSC), In addition Anthropic and Open AI, whose latest AI models make the attack newly viable at speed and scale, have been advised of this attack pattern and asked to include it in their threat analysis work.

The attack pattern, named "Chained Leveraged Attack on Supply Patching" or CLASP, describes a new way for attackers to weaponise the very patching processes that organisations rely on to keep themselves secure.

A full security advisory is now publicly available at clasp.info, alongside an extended technical discussion on Brian's personal cybersecurity publication, Pressure Tested.

"If SolarWinds taught us that trusted updates can betray you, CLASP teaches that urgent updates can be weaponised against you at scale."

Brian Gallagher, CEO, LEMA Logic

Why This Disclosure Matters Now

Most cyber attacks succeed by sneaking past defences. CLASP succeeds by turning the defences into the delivery system. The attack chains together two things that are already happening in the wild, a compromised software dependency and a legitimate high-severity vulnerability disclosure, and uses the second to force defenders to deploy the first.

In short, installing patches becomes the delivery vehicle for companies to also install the malware. Organisations with the fastest, most disciplined patching processes are the ones most exposed.

The components of the CLASP pattern are not new, but the arrangement of them is. Elements of it have been seen recently, most notably in the xz utils near-miss in 2024, where a patient attacker spent years building maintainer trust before planting a backdoor in a core Linux library.

What is new in 2026 is that the new AI capabilities make this kind of attack dramatically cheaper and easier to carry out. A capability that previously required years of nation-state level effort can now be executed in weeks by sophisticated criminal teams. Public reproductions of these AI capabilities have already appeared within days of release. The chain has moved from theoretical to practical, and from rare to scalable.

Brian's advisory at clasp.info sets out the four-stage attack chain, the threat model, and a board-ready set of questions and mitigations. The Pressure Tested article provides an extended discussion for technical readers.

What Organisations Should Do

The advisory at clasp.info sets out the recommended posture in detail. At a high level, the response involves a shift from “prevention” as the primary defence to “recovery” as a planned, funded, and regularly practised capability. That includes physical offline backups (hard drives or tapes on a shelf), quarterly bare-metal recovery exercises, in-house recovery expertise rather than outsourced retainers alone, and direct conversations with cyber insurers about coverage under simultaneous-attack scenarios.

LEMA Logic supports organisations across the Isle of Man, the UK, and the US in working through these questions, particularly at board and executive level where the strategic and financial implications of the new posture need to be understood and resourced.

"There is no vendor to notify here, and no patch to develop. The vulnerability is in the way we trust and distribute software updates. Systemic authorities need to factor this specific chain into their threat modelling, advisory processes, and coordination frameworks for mass-incident response."

Brian Gallagher, CEO, LEMA Logic

Help Spread the Word

If you know a board member, a CIO, CTO, CISO, or a senior leader in government, finance, healthcare, critical infrastructure, or any organisation that depends on rapid patching, please share this disclosure with them. The defensive window is short, and the people who need to act on this are not always the ones who read security advisories.

For broader context on the wider 2026 cybersecurity landscape that CLASP sits inside, read our companion post “Cybersecurity Is About to Get Wild. Here's What Leaders Need to Know.”

Want to discuss what this means for your organisation? Book a discovery call with LEMA Logic.

About Brian Gallagher

Brian Gallagher is the CEO and co-founder of LEMA Logic. He has over 45 years of experience in IT, security, and consulting, including published CVEs and other responsibly-disclosed vulnerabilities to financial and security software vendors. He has served on university and governmental incident response teams, including at Johns Hopkins University, and is a member of the AI Advisory Group (AIAG) convened under the Isle of Man's National AI Office. He is an open-source contributor and module maintainer on several platforms, and was recently quoted in Forbes.

About LEMA Logic

LEMA Logic is built on a simple belief, People Come First. Always have. Always will. The company uses Tech + AI to make life and work better, giving teams back time, reducing stress, and helping them serve customers more effectively. It's not about technology for technology's sake. It's about smarter systems that support real people doing meaningful work. Learn more at LEMALogic.com.