The Change
OpenAI’s ChatGPT and Anthropic’s Claude both let users create shareable links that open a conversation in a web view. As reported by The Decoder on May 30, 2026, cyber‑criminals have begun using those links to distribute malicious payloads. The shared chats are crafted to look like system error messages or step‑by‑step installation guides, then laced with code that silently infects a visitor’s machine.
Because the links are served from the official OpenAI and Anthropic domains, many endpoint protection products and email filters treat them as safe. The result is a stealthy delivery channel that sidesteps traditional URL‑reputation checks.
Why Now
The timing aligns with two recent product moves. Both providers rolled out the sharing feature to make collaboration easier for developers and educators. At the same time, the broader AI market is seeing a surge in user‑generated content, meaning more people are clicking on links that promise quick AI‑generated answers. Attackers exploit that trust gap: a familiar “ChatGPT” or “Claude” URL carries an implicit seal of legitimacy, which they turn into a lure.
Security teams are also grappling with the sheer volume of AI‑generated traffic. Conventional scanners prioritize known malicious domains, leaving trusted AI hosts under‑monitored. The Decoder notes that the malware slips past “security tools undetected because they're hosted on trusted domains,” highlighting a blind spot that emerged only after the sharing capability became popular.
How It Works
1. Link Generation – A user (or compromised account) creates a shared conversation in ChatGPT or Claude, then copies the public URL.
2. Malicious Content Insertion – Within the shared view, the attacker writes a faux error dialog or a guide that includes a download button or a copy‑paste command. The payload is often hosted elsewhere, but the link that initiates the download points back to the AI chat page.
3. Trust Exploitation – When the victim clicks the link, the browser loads the chat page from openai.com or anthropic.com. Because the domain is whitelisted in many corporate firewalls, the page renders without warning.
4. Execution – The embedded script or instruction executes, installing malware silently. Because the initial request appears benign, endpoint detection systems may never flag the activity.
The Decoder emphasizes that the chats “mimic error messages or install guides,” a design choice that lowers the victim’s suspicion and encourages interaction.
Who Benefits
Security researchers gain a clearer picture of how trusted‑domain abuse can be weaponized, prompting updates to detection heuristics. Enterprises that tighten URL‑reputation policies around AI platforms can reduce exposure. Finally, end users who stay aware of the new threat vector will be less likely to click on unsolicited shared AI links.
For defenders, the takeaway is simple: treat every shared AI conversation link as a potential risk until proven safe. Adding AI‑specific rules to web filters, monitoring for unusual download patterns after a chat view, and educating staff about the new phishing style are immediate steps.
📎 Related Articles
Critical Open‑Source Flaw Threatens Millions of AI Agents • OpenAI’s Brazil News Deal Beats Its Latest Tech Wins • OpenAI partners with Folha and UOL to bring Brazilian news to ChatGPT • OpenAI’s New Singapore Initiative and Four Key AI Offerings • Anthropic Blocks AI Tools in Interviews to Test Real Thinking • Why Men Dominate AI Coding Agents in Social Science Labs • When AI Search Agents Echo Their Training Instead of Browsing Fresh Data • Self‑Improving Tax Agent Powered by Codex Launches
