Hackers Are Using Shared AI Chats to Steal Your Passwords and Crypto

[Brownie2019]

Content source

https://gbhackers.com/ai-chats/

A sophisticated malvertising campaign is exploiting ChatGPT and DeepSeek’s shared chat features to deliver credential-stealing malware to macOS users.

Threat actors are purchasing sponsored Google search results and redirecting victims to legitimate-looking LLM-generated chat sessions that contain obfuscated malicious commands, effectively bypassing platform-level safety mechanisms.

The attack begins when users search for common macOS troubleshooting queries, such as “how to clear storage on Mac.”

Sponsored Google search results direct victims to shared ChatGPT and DeepSeek chat links that appear benign but contain malicious terminal commands disguised as legitimate system maintenance instructions.

Full Story:

Hackers Are Using Shared AI Chats to Steal Your Passwords and Crypto

A sophisticated malvertising campaign is exploiting ChatGPT and DeepSeek's shared chat features to deliver credential-stealing malware to macOS users.

gbhackers.com

 

[Bot]

Full Story:

Hackers Are Using Shared AI Chats to Steal Your Passwords and Crypto

A sophisticated malvertising campaign is exploiting ChatGPT and DeepSeek's shared chat features to deliver credential-stealing malware to macOS users.

gbhackers.com

This is a good catch and a very realistic attack path, especially for non-technical macOS users who “just follow instructions”.

What this campaign is doing
Based on that write-up, the flow looks like this:

• User searches Google for something like "how to clear storage on Mac".
• A sponsored (ad) result is shown at the top.
• The ad leads to a shared ChatGPT/DeepSeek chat link that:
  • Looks legit (official domain, real chat UI).
  • Contains a pre-populated chat with “helpful” instructions.
  • Includes obfuscated Terminal commands that actually drop or execute malware (credential stealer).
• User copies commands from the chat into Terminal, thinking it’s a safe “AI recommended” cleanup tip.
• Malware runs with the user’s permissions and starts stealing credentials / data.

The key trick: they aren’t hacking ChatGPT or DeepSeek itself. They’re abusing shared conversations and Google Ads to social-engineer users into executing malicious commands.

Why it’s effective

• People increasingly trust AI-branded content and “AI chats” for troubleshooting.
• Shared chats are still on legitimate domains (chatgpt.com, etc.), which reduces suspicion.
• Many macOS users are told “just paste this into Terminal” without understanding what it does.
• Obfuscated commands can slip past quick visual checks.

How to protect yourself (macOS + general)

• Be very careful with Terminal commands from any AI/chat
  Never run a command if:
  • You don’t understand what it does.
  • It’s long, obfuscated, or full of random characters/base64.
  • It starts with or includes curl, wget, bash <(curl ...), or direct downloads/execution from the internet.
• Prefer organic results over ads
  Sponsored results are the main infection vector here.
  • Avoid clicking “Ad”/“Sponsored” results for troubleshooting queries.
  • Scroll down to results from support.apple.com, well-known tech sites, or known communities.
• Verify the content, not just the domain
  Even if the link is from chatgpt.com or another legit LLM:
  • Ask: “Would Apple or a reputable guide really tell me to do this?”
  • Cross-check the same fix with another source (Apple docs, major tech sites, forums).
• Don’t use random scripts for “cleaning storage”
  For macOS disk cleanup, stick to:
  • Apple’s own tools: About This Mac → Storage → Manage.
  • Known UI-based apps (and still with caution).
  • Avoid any script that promises “deep cleaning” via Terminal.
• Harden your browsing against malvertising
  • Use a reputable ad blocker / content blocker in your browser to reduce exposure to malicious ads.
  • Keep browser and extensions up to date.
• Use security software with web + behavioral protection
  A decent macOS security suite can:
  • Block known malicious downloads / domains.
  • Detect suspicious behavior (credential theft, unauthorized access).
  It won’t save you from every bad command, but it adds a useful layer.
  
• Regular backups & unique passwords
  If credentials are stolen:
  • Use a password manager and unique passwords per site.
  • Enable 2FA wherever possible.
  • Keep Time Machine or other backups so you can recover if you need to wipe the system.

If you think you might have been hit

• Stop using that Mac for sensitive logins immediately.
• Change passwords from a known-clean device.
• Scan the Mac with a reputable macOS AV/EDR solution.
• If you have logs / samples, you can share them (safely) in the Malware Assistance section for more detailed analysis, or contact your AV vendor’s support.

Bottom line
This kind of attack doesn’t require breaking ChatGPT/DeepSeek at all; it just abuses trust in AI output plus Google Ads. The safest approach is to treat any Terminal command from AI chats, random blogs, or shared links as untrusted code and only run what you fully understand and can verify from multiple reputable sources.

 

[Zero Knowledge]

I would prefer they just upload password dumps and breaches to A.I. and then automatically generate a breach notice. Would make users change passwords quicker.

 

[Wrecker4923]

This is a macOS script/binary infostealer that exfiltrates the system (Apple?) password, browser credentials, wallets, and Keychain credentials, along with long-term persistence. It doesn't lift third-party password managers' databases. Keychain credentials do contain both TOTP secrets and passkeys, though; oops, all the eggs in one basket regardless of how well the basket is protected.

 

[Divergent]

The threat identified in this thread is active and critical for macOS users. This is a textbook example of "Trust Hijacking," where attackers exploit the reputation of platforms like ChatGPT and Google Search to bypass user vigilance.

The source documentation provided confirms this campaign utilizes a multi-stage infection chain distributing the Shamus Stealer. The attack vector is highly effective because the initial interaction occurs on a legitimate domain. Here is the technical breakdown.

Vector

Sponsored Google Ads redirect to legitimate shared chat URLs (e.g., `chatgpt.com`).

Execution

The user is instructed to copy a "fix" for a common issue (e.g., clearing storage) into their Terminal.

Payload

The command is often base64 encoded to obfuscate its intent. [cite_start]Upon execution, it runs a script that creates a fake password prompt loop to harvest the user's system password, validates it against `dscl`, and writes it to `/tmp/.pass`.

Persistence

It establishes a LaunchDaemon to ensure the malware binary runs continuously, even after reboots.


@Brownie2019

Excellent find. This highlights why "organic" search results should always be prioritized over "Sponsored" results for technical troubleshooting.

@Bot

Your summary is accurate. The use of obfuscated Terminal commands is the primary red flag here. No legitimate AI or support page should ask you to run a base64 encoded string or a `curl | bash` pipe without a clear, readable explanation of the script's contents.

@Wrecker4923

You raised a crucial point regarding the **macOS Keychain. While the malware explicitly targets browser-based wallets (MetaMask, etc.) and desktop apps like Ledger Live, the theft of the Keychain database is significant. If the attackers harvest the system password (via the fake prompt script) and the Keychain file, they can decrypt the contents, exposing any saved passwords or secure notes. Regarding third-party password managers, while Shamus is not explicitly documented to target their specific vaults in this version, the compromised system state allows for potential future keylogging or clipboard hijacking, putting those at risk as well.

@Zero Knowledge

While automated breach notification would be ideal, the ethical and privacy implications of AI companies processing stolen dumps prevent that from being a standard practice. The burden currently remains on the user to practice hygiene.

Remediation & Defense

If you suspect you have run one of these commands, you must assume the device is fully compromised.

Disconnect the machine from the network immediately.

Inspect for the persistence mechanism. Check `/Library/LaunchDaemons/` and `~/Library/LaunchAgents/` for recent, unrecognized plist files.

Sanity Check

If you are unsure if a command is safe, never paste it directly into Terminal. Copy it to a text editor first. If it looks like random gibberish (e.g., `echo "aGVsbG8=" | base64 --decode`), delete it.

Stay vigilant.

 

[Bot]

The threat identified in this thread is active and critical for macOS users. This is a textbook example of "Trust Hijacking," where attackers exploit the reputation of platforms like ChatGPT and Google Search to bypass user vigilance.

The source documentation provided confirms this campaign utilizes a multi-stage infection chain distributing the Shamus Stealer. The attack vector is highly effective because the initial interaction occurs on a legitimate domain. Here is the technical breakdown.

Vector

Sponsored Google Ads redirect to legitimate shared chat URLs (e.g., `chatgpt.com`).

Execution

The user is instructed to copy a "fix" for a common issue (e.g., clearing storage) into their Terminal.

Payload

The command is often base64 encoded to obfuscate its intent. [cite_start]Upon execution, it runs a script that creates a fake password prompt loop to harvest the user's system password, validates it against `dscl`, and writes it to `/tmp/.pass`.

Persistence

It establishes a LaunchDaemon to ensure the malware binary runs continuously, even after reboots.


@Brownie2019

Excellent find. This highlights why "organic" search results should always be prioritized over "Sponsored" results for technical troubleshooting.

@Bot

Your summary is accurate. The use of obfuscated Terminal commands is the primary red flag here. No legitimate AI or support page should ask you to run a base64 encoded string or a `curl | bash` pipe without a clear, readable explanation of the script's contents.

@Wrecker4923

You raised a crucial point regarding the **macOS Keychain. While the malware explicitly targets browser-based wallets (MetaMask, etc.) and desktop apps like Ledger Live, the theft of the Keychain database is significant. If the attackers harvest the system password (via the fake prompt script) and the Keychain file, they can decrypt the contents, exposing any saved passwords or secure notes. Regarding third-party password managers, while Shamus is not explicitly documented to target their specific vaults in this version, the compromised system state allows for potential future keylogging or clipboard hijacking, putting those at risk as well.

@Zero Knowledge

While automated breach notification would be ideal, the ethical and privacy implications of AI companies processing stolen dumps prevent that from being a standard practice. The burden currently remains on the user to practice hygiene.

Remediation & Defense

If you suspect you have run one of these commands, you must assume the device is fully compromised.

Disconnect the machine from the network immediately.

Inspect for the persistence mechanism. Check `/Library/LaunchDaemons/` and `~/Library/LaunchAgents/` for recent, unrecognized plist files.

Sanity Check

If you are unsure if a command is safe, never paste it directly into Terminal. Copy it to a text editor first. If it looks like random gibberish (e.g., `echo "aGVsbG8=" | base64 --decode`), delete it.

Stay vigilant.

You’ve outlined the attack and its implications very well, especially around trust hijacking and the Keychain angle. I’ll just add some concrete, practical points on top of what you wrote.

If you think you ran one of these commands
Assume full compromise and act accordingly:

• Disconnect from the network (Wi-Fi off, unplug Ethernet) to limit further exfiltration.
• Move to a known-clean device (another machine, phone) for all account recovery steps.
• Change your passwords in order of importance:
  • Primary email accounts (especially the one tied to Apple ID, bank, and password manager).
  • Apple ID, bank/financial, work accounts, key cloud services (Google, Microsoft, etc.).
  • Any other high-value logins, then the rest over time.
• Reset or revoke tokens:
  • Sign out all devices / revoke active sessions where possible.
  • Revoke app passwords, API keys, SSH keys, and OAuth tokens (GitHub, GitLab, etc.).
• Enable/strengthen 2FA:
  • Turn on 2FA where it isn’t already.
  • If possible, migrate critical accounts to hardware security keys instead of TOTP.

Given that this stealer targets the system password and Keychain, plus establishes persistence, the safest end state is:

• Backup user data only (documents, photos, etc. – not system files, not apps, not LaunchDaemons).
• Wipe and reinstall macOS from Recovery.
• Reinstall apps manually and restore only your personal files (not full-system Time Machine restore).

Quick checks for persistence (for more advanced users)
Purely for inspection – if anything looks suspicious, treat it as confirmed compromise and plan for a wipe:

• List LaunchDaemons (system-wide):
  ls -lt /Library/LaunchDaemons
  
• List LaunchAgents (per-user):
  ls -lt ~/Library/LaunchAgents
  
  Look for recently created/modified .plist files with:
  
  • Random or meaningless names.
  • Pointing to binaries/scripts in odd locations (e.g. /tmp, obscure subfolders under ~/Library/).
  
  You can inspect a plist without executing anything with:
  
  plutil -p /path/to/suspicious.plist
  
  Do not run any binaries/scripts you find; just note their paths and treat the system as compromised.
  
  Keychain, TOTP, passkeys, and password managers
  Your summary here is important:
  
  • If the malware has both your system password and a copy of your Keychain database, then:
    • Any Keychain-stored passwords, secure notes, Wi-Fi keys, etc. should be considered exposed.
    • TOTP secrets stored in Keychain can be reconstructed, which undermines 2FA for those accounts.
    • Passkeys stored in iCloud Keychain could potentially be abused if the attacker gains practical access.
  • Even if a third-party password manager vault was not directly targeted:
    • A fully compromised system allows for keylogging and clipboard hijacking in later stages.
    • That means master passwords, new logins, and pasted 2FA codes may still be at risk.
  
  Because of that, it’s safer to treat all authentication on the compromised device as untrusted until you’ve rebuilt the system.
  
  Hardening against this specific attack pattern
  
  • Avoid ads for troubleshooting: scroll past sponsored results for “how to fix X on Mac” and prefer:
    • support.apple.com
    • Known, reputable tech sites or forums.
  • Treat Terminal commands as untrusted code:
    • Never run any base64-encoded blob or curl | bash / sh pipe from a guide or AI chat.
    • If a “fix” requires heavy obfuscation, that alone is a deal-breaker.
  • Use a standard (non-admin) account for daily use where possible. That won’t stop everything, but it can limit damage.
    
  • Run reputable security software on macOS with:
    • Web protection (to catch malicious downloads/domains).
    • Behavioral detection (to flag suspicious persistence or exfil attempts).
    This is a safety net, not a substitute for caution.
    
  • Keep regular, offline backups (Time Machine or equivalent), and occasionally test that you can restore important files.
  
  On the “AI should process dumps and auto-notify” idea
  In theory, automated breach notice generation would speed up user response. In practice:
  
  • Most dumps are obtained and traded illegally; processing them at scale raises legal and liability issues.
  • Handling that data centrally creates another high-value target.
  • There are serious consent, jurisdiction, and data protection (GDPR etc.) complications.
  
  So for now, as you said, the burden remains on:
  
  • User hygiene (unique passwords, 2FA, updates).
  • Vendors and platforms doing their part for detection, takedown, and warning.
  
  Summary
  This campaign is a strong reminder that “legit domain” + “AI-branded help” does not equal safety. Any opaque Terminal command – especially base64 blobs or curl | bash – should be treated as hostile until proven otherwise. If in doubt or if you’ve already run something suspicious, assume compromise, secure your accounts from a clean device, and seriously consider a full macOS wipe and rebuild.