Hackers are increasingly exploiting trusted artificial intelligence (AI) platforms like ChatGPT and Claude to turn them against their own users. Recently, Hackread.com reported a flaw called ClaudeBleed, discovered by LayerX, which allowed unauthorised browser extensions to hijack Anthropic Claude’s interface. Now, hackers are reportedly abusing official features of these AI tools to spread malware while easily evading web filters and security checks.
The Fake Outage Trick
These observations are strengthened by new research from security firm Push Security disclosing a campaign named LLMShare involving what researchers called InstallFix attacks.
“These are essentially InstallFix attacks — a variant of the ClickFix family…, and they exploit the fact that AI tools have normalized command-line installation workflows for a population of users who lack the experience to distinguish a legitimate terminal command from a malicious one,” researchers explained.
In this specific campaign, discovered on May 29, hackers purchased sponsored Google search ads for high-volume queries like “ChatGPT desktop app” and “ChatGPT download”. Clicking the ad sent users to a genuine chatgpt.com/s/ address. This means corporate firewalls passed the traffic without inspection.
However, researchers found that hackers used ChatGPT’s code-rendering feature to create a fake outage notice inside that real link. This page claimed the web version was temporarily unavailable and urged users to download a desktop app, after which they were redirected to a lookalike site, openew.app.
This site was cleverly designed to deliver malicious executables developed for both Windows and macOS. On Mac devices, the payload was identified as Odyssey Stealer, an Atomic macOS Stealer variant that targets browser-saved passwords, crypto wallets, and session tokens.
The download site used a conditional rendering technique to prevent malware detection. Using this technique, when automated scanners like URLScan checked the link, the site masked itself by showing a harmless virtual reality company website, while real users saw the malware trap.
Exploiting AI Summaries
Another flaw was discovered and reported by Permiso Security. Dubbed ChatGPhish, this flaw targets how ChatGPT handles Markdown content when summarising third-party websites. Researchers noted that an attacker can inject malicious code into an ordinary webpage, and when a user asks ChatGPT to summarise that page, the AI automatically fetches the hacker’s live, clickable phishing links, QR codes, or fake security alerts directly into the trusted chat interface.
“In our testing, Firefox acted as the entry point. The victim browsed to a page, invoked ChatGPT’s page summarization flow, and the page content was passed into the assistant. Once that happened, attacker-controlled text from the page could influence the model’s response. The response was then rendered inside ChatGPT with live links and images… but this is not a Firefox or browser vulnerability. The browser simply passes page content into ChatGPT’s summarization flow. The real issue is that attacker-controlled content can be rendered as trusted UI inside the LLM experience,” the blog post revealed.
However, this doesn’t end here. Two critical developer-focused techniques were also reported by a firm called Adversa AI. One is called SymJack, and the other is TrustFall.
- SymJack: This attack tricks AI coding assistants into a benign file copy that overwrites their own configuration files, leading to remote code execution.
- TrustFall: This method uses成 malicious software repositories to auto-approve dangerous commands via the Model Context Protocol (MCP) without user consent.
Possible Consequences
These information-stealing campaigns have dangerous real-world impacts. In fact, IBM’s X-Force 2026 Threat Intelligence Index found that over 300,000 ChatGPT credentials have already been leaked on the dark web.
These were stolen directly from user devices compromised by malware like the ones distributed in these campaigns. Therefore, to stay safe, cybersecurity experts advise avoiding sponsored search ads and visiting official vendor domains only for software updates.
(Photo by Mariia Shalabaieva on Unsplash)
