You ask an AI assistant where to download a tool. You get a clear, helpful answer with the right product name and a link that looks fine. You click it, install — and you have just installed malware.
This is not theory. Active campaigns using this exact technique have already been observed in the wild.
What is happening
The safest way to download software has always been the same: go directly to the vendor's website if you know it. Searching is a fallback. Asking an AI is one step further removed again.
Attackers know this — and they know that more and more people now skip both the vendor site and the search engine, and just ask an AI chatbot "where do I download X?". So they have started feeding the AI ecosystem the same way they used to feed search engines: fake sites, planted content, and manipulated references.
The result: the chatbot gives you a friendly, confident answer — and one of the links in it points to an attacker-controlled site. The download looks like the real tool. It often even works like the real tool. But something extra gets installed in the background.
Why it works
The answer looks correct. The product name is right. The description is right. The tone is helpful and professional. Only the link is wrong — and it is wrong in a way that looks almost identical to the real one.
There is no urgent tone. No suspicious sender. No phishing markers. Just an AI being confidently wrong on a single line.
It is not just downloads — scripts too
The same trick works with code. You ask an AI for a script that does A. You get a script that does A — and quietly also does B.
The extra behaviour does not have to be large. A few lines that send data somewhere. A function with an innocent name that reaches out to a server you do not control. A small block of code wrapped inside something useful.
Security researchers have already demonstrated this. Attackers can plant malicious or misleading content in places the AI may later reference — public repositories, documentation, configuration files, or even hidden text embedded inside otherwise normal content. When someone later asks the AI for help, that planted content can influence what the AI produces, and the resulting code can contain something the user never asked for.
The script still works. It still does what you asked. That is what makes it hard to spot — and that is why pasting AI-generated code straight into production without reading it line by line is a real risk, not a theoretical one.
What to take from this
- Treat AI answers like advice from a stranger, not like a search result from a trusted source. Useful as a starting point, never as the final word.
- Always go directly to the vendor's website. If you know the address, type it yourself. If you do not, verify the domain through a trusted source first — not just an AI response or the first search result. Do not blindly trust download links provided by AI assistants. Verify the vendor domain yourself before downloading anything.
- Tell your users this. Most have no idea that AI answers can be manipulated. A short message in your normal channels goes a long way.
- Make sure your security stack inspects downloads — URL filtering, DNS security, and sandboxing catch many of these before the file ever lands.
- Read AI-generated code before you run it. Especially anything with network calls, file access, or credentials. If you do not understand a line, do not run it.
- Review your software installation policy. If users can freely install small utilities from anywhere, this attack works. If they cannot, it does not.
Bottom line
AI is changing how people find information — and attackers have already adapted. The fix is not new technology. It is the same rule we have always taught: go to the source you trust, do not let someone else hand you the link.
The difference is that the someone else is no longer a search engine. It is an AI that sounds like it knows the answer.
