The most cautious company in AI does not secure its own shared Claude chats.
Anthropic denies public access to Mythos because it is too dangerous. Meanwhile, its own claude.ai domain serves as a phishing page through shared chats. The AI industry invests in spectacular risk and neglects the mundane risk.

Anthropic bans public access to Mythos because the model could be dangerous. Anthropic publishes 40-page alignment reports. Anthropic coined the term "AI Safety Level" to classify the risks of its own models. Anthropic is, in public discourse, the company that takes AI safety more seriously than anyone.
On 10 May 2026, we learn that the claude.ai domain serves as a malware distribution vector.

What happened
Attackers exploited a native feature of Claude.ai: shared chats. Anyone can create a conversation on the platform and make it publicly accessible via a link. That link is hosted under the claude.ai domain.
The attackers created a shared chat titled "Claude Code on Mac", attributed to "Apple Support". The content looks like an official installation guide. It asks the user to open the Terminal on their Mac and paste a command. That command, encoded in base64, silently downloads and runs a malicious script.
To lure victims onto this page, the attackers bought Google ads targeting queries such as "Claude mac download". The sponsored result displays claude.ai as the destination domain. The URL is genuine. There is nothing to spot.
The malware, a variant of the MacSync infostealer, runs entirely in memory so it leaves no trace on disk. The payload changes with every download to evade antivirus signatures. Before activating, the script checks the keyboard layout: it halts if it detects a Russian keyboard or one from a CIS country, a classic signature of East European cybercriminal operations that avoid targeting their own jurisdictions. Once active, it harvests browser credentials, cookies and the contents of the macOS Keychain. Two distinct variants were identified by researcher Berk Albayrak and by BleepingComputer, using different infrastructure but the same attack chain.
The attack relies on no technical vulnerability in Claude.ai. It relies on the fact that the domain hosts unmoderated public content, and that this content is credible enough for the user to run the malicious code themselves.

The irony is not incidental. It is structural.
There is something deeply revealing about a company that refuses to make a model "too dangerous" public while hosting, on its own domain, content that actively distributes malware. This is not a marginal contradiction. It is the perfect illustration of a pattern I have been observing in the industry for years: we invest heavily in spectacular risks and neglect the fundamentals.
Anthropic is not alone. Similar campaigns have exploited ChatGPT and Grok. The pattern is the same: AI vendors build sharing, collaboration and public-access features without treating those features as attack surfaces. Because in their mental model, the risk is in the model. Not in the platform. Not in the infrastructure. Not in the fact that anyone can publish content under their domain with a title that says "Apple Support".
It is exactly the same blindness as companies that invest millions in intrusion detection and leave a service account with administrator rights and a default password on a server exposed to the Internet. The glamorous risk absorbs all the attention. The mundane risk does the damage.
Google Ads: the vector nobody closes
The other player in this story is Google. And here the picture is even more damning, because it is not new.
Malvertising via Google Ads has been documented for years. Sponsored results appear above organic results. They display the destination domain in plain text. When an attacker points an ad at a legitimate domain whose open feature they are exploiting, the distinction between legitimate ad and attack vector disappears entirely. Google knows this. Google has the technical means to detect that an ad's landing page contains instructions asking users to run commands in a terminal. Google does not do it.
In 2026, Google Ads remains one of the most effective malware distribution vectors in the world. It is a finding so often repeated that it has stopped being shocking. It should be shocking.

The real problem: trust as a product
What makes this attack effective is neither the malware (a classic polymorphic infostealer) nor the technique (elementary social engineering). It is the fact that AI vendors sell trust. Their brand, their domain, their interface are signals of credibility. When a user sees claude.ai in the address bar, they no longer ask whether the content is trustworthy. They have already answered.
The attackers understood this before the vendors did. Why build a fake site when you can use the real one? Why manufacture credibility when you can borrow it? The shared-chats feature is an open invitation. No need to compromise anything. All you have to do is publish.
The platforms' response will have to match the scale of the problem: moderation of shared chats, automatic detection of content containing terminal commands, restriction of public visibility, explicit warnings. None of this is revolutionary. None of this has been done.
The paradox of AI safety in 2026
We write reports on the existential risks of AI. We debate the alignment of models. We classify systems by safety levels. We deny public access to models deemed too powerful. And we let our own domain serve as a phishing page because we did not anticipate that a shared chat could be used by anyone other than a well-meaning user.
That is a fairly faithful summary of the state of cybersecurity in general. We anticipate the Black Swan. We ignore the pigeon on the window ledge. We model ten-year catastrophe scenarios. We do not check what is happening on our own platform today.
Anthropic will fix the problem. Google will eventually moderate the most blatant ads. Until the next sharing feature, on the next platform, with the next trusted domain.
The rule remains what it has always been: never download software from a Google ad. And never paste a command into a terminal if you do not understand what it does. Even if the URL is the right one. Especially if the URL is the right one.
Questions fréquentes
What does the attack via Claude.ai shared chats consist of?
The attackers create a public conversation titled "Claude Code on Mac" attributed to "Apple Support", hosted under the claude.ai domain. It asks the user to paste a base64-encoded command into the Terminal, which downloads and runs a malicious script.
Is there a technical vulnerability in Claude.ai?
No. The attack relies on no flaw in Claude.ai, but on the fact that the domain hosts unmoderated public content, credible enough for the user to run the code themselves.
What role does Google Ads play?
The attackers buy ads targeting queries such as "Claude mac download". The sponsored result displays claude.ai as the destination domain: the URL is genuine, which removes every warning signal for the victim.
What does the malware do once run?
It is a variant of the MacSync infostealer that runs in memory to leave nothing on disk, changes payload with every download to evade antivirus, and harvests browser credentials, cookies and the contents of the macOS Keychain.
How do you protect yourself?
Never download software from a Google ad, and never paste a command into a terminal without understanding what it does, even if the URL looks legitimate.
Sources & méthodologie
- BleepingComputer
- Berk Albayrak (chercheur en sécurité)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
