Attackers Hide Malware in Public ChatGPT and Claude Conversation Links: what changed

Security researchers say attackers are steering victims to publicly shared AI chat transcripts that impersonate outage notices or support guides, then push downloads or Terminal commands that deliver malware.

Attackers are posting publicly shared ChatGPT and Claude conversation links that display convincing error pages or installation guides and then prompt visitors to run commands or download software that carries malware. Victims commonly reach those shared chats through paid search ads, a vector that boosts traffic to the malicious pages and the chance that users will follow the guidance shown in the transcript.

Security firm Push Security reported that attackers design shared chats to mimic official outage notices and install guides. One campaign used ChatGPT’s code‑rendering to embed a complete fake error page inside a shared conversation and then urged users to download an infected desktop app. On Claude, attackers posted walkthroughs posing as Apple support that include malicious Terminal commands. Push Security published indicators including hxxps://claude[.]ai/share/8e6401b5 — 4849-46c4-a3cb-29e1c3c49131, hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d, the openew[.]app domain, and SHA256 de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78.

Attackers exploit the platforms’ native sharing features: entire conversations are hosted on trusted domains, which lowers the chance of false positives from automated security tools and raises user trust. Push Security has named the technique “LLMShare.” Other research teams, including BleepingComputer and Kaspersky, have documented similar campaigns, indicating multiple groups are tracking the trend.

Because the malicious content is served from legitimate platform pages, users can be persuaded to execute commands or install applications that deliver malware while defenses fail to flag the origin. Push Security’s findings highlight a gap for defenders and platform operators and have prompted calls for scanning shared transcripts, tighter sharing controls, or explicit user warnings when someone follows externally promoted conversation links.