Hackers are increasingly exploiting trusted artificial intelligence (AI) platforms like ChatGPT and Claude to turn them against their own users. Recently, Hackread.com reported a flaw called ClaudeBleed, discovered by LayerX, which allowed unauthorized browser extensions to hijack Anthropic Claude’s interface. Now, hackers are reportedly abusing official features of these AI tools to spread malware while easily evading web filters and security checks.[1]
The Fake Outage Trick - These observations are strengthened by new research from the security firm Push Security, which disclosed a campaign called LLMShare involving what researchers called "InstallFix" attacks. “These are essentially InstallFix attacks — a variant of the ClickFix family…, and they exploit the fact that AI tools have normalized command-line installation workflows for a population of users who lack the experience to distinguish a legitimate terminal command from a malicious one,” researchers explained.
In this specific campaign, discovered on May 29, hackers purchased sponsored Google search ads targeting high-volume queries such as “ChatGPT desktop app” and “ChatGPT download”. Clicking the ad sent users to a legitimate chatgpt.com/s/URL. This means corporate firewalls passed the traffic without inspection. However, researchers found that hackers used ChatGPT’s code-rendering feature to create a fake outage notice inside that real link. This page claimed the web version was temporarily unavailable and urged users to download a desktop app, after which they were redirected to a lookalike site, openew.app.
LMShare Campaign Fake Download page (Source: Push Security)
This site was cleverly designed to deliver malicious executables developed for both Windows and macOS. On Mac devices, the payload was identified as Odyssey Stealer, an Atomic macOS Stealer variant that targets browser-saved passwords, crypto wallets, and session tokens. The download site used a conditional rendering technique to prevent malware detection. Using this technique, when automated scanners like URLScan checked the link, the site masked itself by showing a harmless virtual reality company website, while real users saw the malware trap.
Exploiting AI Summaries - Another flaw was discovered and reported by Permiso Security. Called ChatGPhish, this flaw targets how ChatGPT handles Markdown content when summarising third-party websites. Researchers noted that an attacker can inject malicious code into an ordinary webpage, and when a user asks ChatGPT to summarise that page, the AI automatically fetches the hacker’s live, clickable phishing links, QR codes, or fake security alerts directly into the trusted chat interface.
“In our testing, Firefox acted as the entry point. The victim browsed to a page, invoked ChatGPT’s page summarization flow, and the page content was passed into the assistant. Once that happened, attacker-controlled text from the page could influence the model’s response. The response was then rendered inside ChatGPT with live links and images… but this is not a Firefox or browser vulnerability. The browser simply passes page content into ChatGPT’s summarization flow. The real issue is that attacker-controlled content can be rendered as trusted UI inside the LLM experience,” the blog post revealed.
ChatGPhish Campaign (source: Permiso Security)
However, this doesn’t end here. Two critical developer-focused techniques were also reported by a firm called Adversa AI. One is called SymJack, and the other is TrustFall.
- SymJack: This attack tricks AI coding assistants into a benign file copy that overwrites their own configuration files, leading to remote code execution.
- TrustFall: This method uses成 malicious software repositories to auto-approve dangerous commands via the Model Context Protocol (MCP) without user consent.
Possible Consequences - These information-stealing campaigns have dangerous real-world impacts. In fact, IBM’s X-Force 2026 Threat Intelligence Index found that over 300,000 ChatGPT credentials have already been leaked on the dark web.
These were stolen directly from user devices compromised by malware like the ones distributed in these campaigns. Therefore, to stay safe, cybersecurity experts advise avoiding sponsored search ads and visiting official vendor domains only for software updates.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/fake-chatgpt-desktop-app-ads-password-stealer-malware/
Comments