Fake ChatGPT App Ads Spread Password-Stealing Malware

Hackers are using fake ChatGPT desktop app ads to spread password-stealing malware. They buy sponsored Google search ads for terms like "ChatGPT desktop app." Here's the thing: clicking these ads sends users to a genuine chatgpt.com address. But hackers use ChatGPT's code-rendering feature to display a fake outage notice on this real link. This notice tells users the web version is down and urges them to download a desktop app. What happens next is users are redirected to a lookalike site, openew.app, which delivers malicious executables for Windows and macOS. On Mac devices, the malware is Odyssey Stealer, which targets browser-saved passwords, crypto wallets, and session tokens. This download site uses a conditional rendering technique to avoid detection, showing scanners a harmless website while real users get the malware. Another vulnerability, called ChatGPhish, targets how ChatGPT summarizes third-party websites. Attackers can inject malicious code into a webpage. When a user asks ChatGPT to summarize that page, the AI fetches the hacker’s live, clickable phishing links or fake security alerts directly into the chat interface. The bottom line is, users need to be very careful about where they download software and what links they click, even within trusted AI platforms.