Cybersecurity May 30, 2026 · 4 min read

ChatGPT’s Share Link Feature Is Now a Malware Distribution Network — The Chatbot Impersonated Its Own Outage to Install an Infostealer, and the URL Was Legitimate the Entire Time

🤚 The Open-Palm Incident Report

Threat actors have discovered that ChatGPT’s share link feature — the one that lets you send a conversation to a colleague so they can see your extremely normal 2 AM prompt about whether hot dogs are sandwiches — can also be weaponized to distribute malware. The campaign, dubbed “LLMShare” by researchers at Push Security, exploits chatgpt.com/s/ URLs to display fake OpenAI outage pages that direct users to download infostealers disguised as the ChatGPT desktop application.

The attack flow is elegant in the way that only cybercrime can be elegant:

  • Attackers create ChatGPT conversations that render as custom HTML and CSS — essentially building a fake webpage inside a real chatbot
  • Users encounter these links via Google Ads that appear in search results for “ChatGPT”
  • The shared link displays a convincing outage notice: “We’re experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.”
  • Clicking the download button redirects to openew[.]app, a cloaked domain that shows security scanners an innocent AR/VR company website while serving malware to actual humans
  • Both macOS and Windows variants are distributed, with the Windows version running VM detection before deploying its payload

The malware itself is an infostealer — the cybercriminal equivalent of a pickpocket who also reads your diary.

👐 The Two-Handed Trust Paradox

What makes LLMShare particularly insidious is that it exploits the one thing AI companies have spent billions cultivating: trust in their own URLs. A link starting with chatgpt.com passes the sniff test for virtually every human being and most email security gateways. It’s not a typosquatted domain. It’s not a shortened URL. It’s the actual website of the world’s most popular AI chatbot, serving content that looks like an official status page.

The cloaking on openew[.]app adds a second layer of credibility laundering. Security platforms scanning the download domain see a legitimate-looking AR/VR startup website. Actual users see an OpenAI-branded download portal. The attackers have essentially built a two-stage magic trick: the first misdirection happens on a trusted domain, and the second happens on a domain that’s been dressed up specifically to fool the bouncer.

Push Security also noted that similar techniques have been observed abusing Claude Artifacts to host ClickFix-style malware lures — meaning this isn’t just an OpenAI problem. It’s an industry problem. Every AI platform that lets users create and share rendered content has accidentally built a malware distribution CDN with excellent SEO.

🌿 The Gentle Awakening

There is a certain cosmic irony in the fact that the technology designed to make humans more productive is now being used to make cybercriminals more productive. The share link feature exists because AI companies want their products to be viral. They want you to share that conversation where ChatGPT wrote a sonnet about your cat. They want organic distribution. They want the network effects.

What they did not want was for someone to realize that “share a conversation” and “host arbitrary HTML on our domain” are, from a security perspective, uncomfortably close to the same thing.

This is the fundamental tension of the AI platform era: every feature that makes a product more shareable also makes it more exploitable. Every trust signal that helps users feel safe also helps attackers inherit that safety. The share link is not a bug — it’s a feature that threat actors are using exactly as designed, just not for the intended purpose.

👑 The Gold-Leaf Remediation Forecast

The fix here is straightforward in theory and nightmarish in practice. AI platforms need to decide whether shared content is user-generated content — with all the moderation obligations that implies — or platform content served under their own domain’s reputation. Right now, they’re getting the SEO benefits of the latter while bearing none of the security responsibilities.

Expect OpenAI to add content-type restrictions to shared links, probably within the week. Expect Anthropic to publish a thoughtful blog post about responsible sharing. Expect Google to have already fixed this six months ago but forgotten to tell anyone. And expect the attackers to move on to the next AI platform feature that was designed for delight and optimized for exploitation.

In the meantime, if someone sends you a ChatGPT link that says the service is down and you should download the desktop app, consider the possibility that the only artificial intelligence in that conversation is the one pretending to be broken.

“The chatbot was used to impersonate itself having an outage, which directed users to download a fake version of itself that steals their data. We have officially reached the Inception layer of social engineering, and Leonardo DiCaprio’s totem is spinning.” — The Slap of Wisdom Threat Intelligence Desk, verifying this article was not itself generated by a malicious share link