Notifications
Clear all
Topic starter
09/06/2026 11:22 pm
TL;DR: Attackers are abusing shared ChatGPT and Claude content, plus sponsored malvertising and SEO poisoning, to deliver malware from pages hosted on trusted domains and to evade URL reputation checks before victims reach the payload, according to Push Security. The pattern shows that platform trust, not just malicious infrastructure, is now part of the attack surface.
NHIMG editorial — based on content published by Push Security: LLMShare attacks abusing ChatGPT and Claude shared content to deliver malware
By the numbers:
- Search-based delivery is now the dominant channel for malware distribution, with ClickFix attacks reached via search results rather than email in 4 of 5 cases.
- Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: What breaks when malware is delivered through shared AI chatbot pages?
A: Domain reputation stops being a reliable control when the attack begins on a legitimate platform page that later redirects or renders malicious content.
Q: Why do shared chatbot pages create a phishing problem for IAM and browser security?
A: They create a trusted session boundary that can carry users from a reputable AI domain into an unsafe download flow.
Q: How do security teams detect abuse of legitimate AI platform content?
A: They need browser telemetry and content-aware inspection that can see the rendered page, the redirect chain, and the final payload delivery.
Practitioner guidance
- Inspect rendered content, not only the URL Add browser-side controls that evaluate the actual rendered page, redirects, and download behaviour inside trusted AI platform sessions.
- Block paste-and-run installation workflows Reduce exposure to terminal-based social engineering by restricting direct execution from browser content and by warning on command-copy patterns that originate from shared chatbot pages.
- Tune detections for shared-content abuse Create detections for shared ChatGPT and Claude content, especially pages that request downloads, show fake service notices, or redirect to non-platform domains.
What's in the full analysis
Push Security's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact LLMShare detection logic and how it distinguishes shared-content abuse from generic phishing.
- The malicious page and redirect patterns observed across ChatGPT and Claude variants.
- The attacker infrastructure examples and indicators of compromise that change as campaigns rotate.
- The browser-layer controls Push uses to stop users before the payload can execute.
👉 Read Push Security's analysis of LLMShare attacks in ChatGPT and Claude →
LLMShare malware delivery through ChatGPT and Claude pages: what changes?
Explore further
10/06/2026 1:41 am
Platform trust is becoming a security control failure when identity and content are conflated. This campaign works because chatgpt.com and claude.ai are treated as trusted by default, even when the content rendered inside them is malicious. That means the real control gap is not simply malware detection, but the assumption that a trusted domain implies trusted content. Practitioners should treat platform trust as conditional, not absolute.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Our research also found that 80% of organisations report AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: How should organisations respond when search ads lead to AI platform malware delivery?
A: They should treat sponsored search results as a high-risk intake path and pair user awareness with browser controls that inspect downloads and execution prompts. The goal is to stop the trust chain before the user reaches the payload, not after the malware has already been staged.
👉 Read our full editorial: LLMShare attacks turn trusted chatbot pages into malware delivery
