ChatGPT share links abused to deliver malware

What happened

Threat actors are *exploiting* ChatGPT's conversation-sharing feature to stage fake OpenAI outage pages. The attack is straightforward: craft a conversation whose content mimics an official service-down notice, share it via a `chat.openai.com/share/…` link, and distribute that link through email, social media, or forums.

The target lands on an OpenAI domain, sees a page with the correct branding and a "service unavailable" message, and gets offered a "ChatGPT desktop client" download to keep accessing the service. The installer is malware. The exact payload type isn't detailed in the original report, but the download vector is clear.

What makes this particularly effective: the link lives on `chat.openai.com`. Valid HTTPS, high-reputation domain. Corporate email filters, proxies, and domain-reputation-based security tools don't flag that hostname.

Why it matters

Most phishing campaigns rely on lookalike domains registered days before the attack — easy to catch by domain age or low reputation. Here the malicious content is hosted on OpenAI's own infrastructure. Reputation controls don't apply. A user who would immediately distrust `openai-support-help[.]xyz` won't hesitate on `chat.openai.com`.

Confusion around ChatGPT desktop availability amplifies the deception. Many users don't know exactly which platforms have a native client, so an "install this to keep using the service" prompt doesn't trigger alarm. The chain — *legitimate platform → fake outage notice → trojanized installer* — is a well-established pattern seen across GitHub, Google Docs, and Notion, but brand trust around AI tools drives the hit rate higher.

What to do

• Only download ChatGPT Desktop from `openai.com/chatgpt/download`
• Treat any `chat.openai.com/share/…` link that prompts a software install as malicious by default
• Configure your proxy or EDR (endpoint detection and response tool) to alert on executables downloaded from AI-platform domains
• If you manage non-technical users, communicate explicitly: ChatGPT share links are not an official software distribution channel

The root issue isn't an OpenAI vulnerability — it's a design abuse. Any platform with user-generated content that renders public pages becomes a potential payload host. Until OpenAI filters or restricts what's renderable in public shares, this attack surface stays open.