Estimated reading time: 7 minutes
June 2, 2026 – LLMShare attack – by Zach Carothers – in Cybersecurity, Awareness
The LLMShare attack is what happens when criminals weaponize what AI tools have earned the fastest: your trust. In 2026, attackers worked out how to turn the shared pages of ChatGPT and Claude, into delivery vehicles for malware. The links look flawless because they are real, and hosted on chatgpt.com and claude.ai. 2 domains that your browser, your security stack, and your people all wave straight through. By the time anyone notices the page is a fake, the download has already started.
How Did the Meta AI Exploit Actually Work?
The attack was almost embarrassingly simple.
1. The attacker turned on a VPN to make their connection appear from the same country as the target account. (lists of high-value usernames with their associated cities were already circulating on Telegram.)
2. The attacker started a normal password reset on the target.
3. The regular flow asked for verification they couldn’t provide. In turn, they asked Meta’s AI support assistant to swap the email address on the account. Meta’s AI did what it was trained to do, and sent an eight-digit confirmation code to the attacker’s email.
5. The attacker pasted that code back into the chat, and the AI accepted it. The password reset email began routing to the attacker, and the whole process took less than five minutes.
What Makes the LLMShare Attack Different From Ordinary Phishing?
Security firm Push Security disclosed the LLMShare attack on May 29, 2026, after detecting it live across multiple customer environments. The mechanics are deceptively simple. Attackers use the built-in share features of AI chatbots to publish malicious content directly on chatgpt.com and claude.ai, then buy sponsored search ads to funnel victims toward it.
That last detail is the part worth sitting with. Most phishing advice for the past decade boiled down to one habit: check the link before you click. The LLMShare attack breaks that habit on purpose. The destination really is chatgpt.com. URL reputation checks, safe-browsing databases, and email filters all confirm the domain as trustworthy, because it is. The attacker borrows the platform’s credibility wholesale, and your defenses confirm the lie for you.
How Does the LLMShare Attack Actually Work?
The campaign that Push observed runs in four moves:
- A poisoned search result:
Victims arrive after searching everyday terms like “chatgpt,” “chatgpt free,” or fat-fingered typos like “chatgot” and “cvhatgpt.” Then, and a sponsored ad sits at the top of the results. - A fake page on a real domain:
On the ChatGPT variant, attackers abuse the code-rendering feature to build a polished “We’re experiencing high traffic” service-disruption notice, hosted at a genuine chatgpt.com share URL, with a friendly “download our desktop app to continue” button. On the Claude variant, the lure is a shared conversation posing as a “Claude Code on Mac” install guide, falsely attributed to “Apple Support.” - A convincing clone:
The button sends the victim to a near-pixel-perfect copy of the official ChatGPT download page, complete with branding and both Windows and macOS buttons. - The payload:
The file, dressed up as “ChatGPT for Desktop,” is malware, already flagged on VirusTotal.
What makes this hard to investigate? The fake download site shows a different face to machines than it shows to people. When security scanners visit, they are redirected to a harmless, unrelated company website. Real users in a real browser get the trap. That conditional rendering buys the campaign time before anyone can flag it.
Why Does the LLMShare Attack Feel So Familiar?
Because we have met its older sibling. Push classifies the rendered-page version as an “InstallFix” attack, a branch of the ClickFix family. If you have read our breakdown of the ClickFix scam, the rhythm here will sound identical: a fake but official-looking message, a moment of manufactured urgency, and a single action that quietly installs malware.
ClickFix typically told victims to press Win+R and paste a command, dropping infostealers or remote-access trojans onto the machine. It worked because it leaned on fear and a believable pretext. The LLMShare attack keeps that playbook and removes its one weakness. A shared chat telling you to paste a terminal command still looks a little odd. A clean “service is busy, grab the app” page on the real ChatGPT domain looks like a Tuesday. As Push put it, “even users that are paying attention are liable to fall for it.”
What the LLMShare Attack Means If You’re Still Deciding on AI
If your organization is standing at the edge of an AI rollout, weighing which tools to sanction and how widely, this is the campaign that should shape the conversation. The lesson is not “avoid AI.” The tools are too valuable, and that ship has sailed. The lesson is this: The moment you adopt an AI platform, you also adopt its brand trust as a new attack surface, and attackers are already mining it.
That argues for building the guardrails into the rollout rather than bolting them on after an incident. Decide now how software gets installed in your environment. Make it a rule that real installations never come from a search ad and never involve pasting a command someone handed you. Publish an approved-tool list so “is this the real ChatGPT?” has an answer that doesn’t depend on a stressed employee’s judgment. Governance set before launch is far cheaper than the cleanup after a breach notification, and it lets leadership say yes to AI with confidence. Good security here is not a brake on AI adoption. it is actually what makes saying “yes” safe.
Already Running a Large AI Stack? Here’s Where the Gaps Hide
For teams already deep into AI tooling, the exposure is wider, not narrower. Your people have been trained, correctly, to treat chatgpt.com and claude.ai as safe, and that trust now scales with every employee who uses these tools daily. The reputation-based controls most organizations lean on, like domain categorization and link scanning, are exactly what this attack is designed to slip past. Add the reality of shadow AI, where staff adopt tools faster than security can inventory them, and the blast radius gets way bigger.
How Do You Get Ahead of the LLMShare Attack?
The defenses are not exotic, but they have to be deliberate. Train your team specifically on AI-themed lures, so a fake “ChatGPT is down” page triggers the same suspicion a sketchy email would. Lock installs to official channels, and make it standard that no legitimate service asks you to paste commands or sideload an app from an ad. Keep endpoint detection and response, DNS filtering, and patching current, so anything that slips through is caught at the next layer. And because trusted-domain attacks are built to evade prevention, pair those controls with 24×7 monitoring and detection and response, so a missed click becomes a contained incident instead of a headline. The most realistic way to run all of that consistently is often a managed security partner or virtual CISO like TorchLight, who lives in this threat landscape daily.
The Trusted Platform Trend
TorchLight specializes in managed security services for organizations where security and compliance are non-negotiable. With 18+ years serving regulated industries, 24/7 SOC operations, and deep regulatory fluency across GLBA, HIPAA, and SEC requirements, TorchLight delivers security operations leadership can defend.
Ready to explore what partnership looks like? Schedule a consultation to discuss your organization’s specific security needs and regulatory requirements.