Attackers Exploit AI Chat Trust Boundaries in Three Separate Campaigns This Month

Attackers are exploiting the same weakness across three different AI platforms in June 2025: the absence of a trust boundary for external input. The campaigns, targeting Claude Shared Chats, Microsoft Copilot, and LiteLLM, show attackers moving quickly to weaponize collaboration features and API pathways that lack authentication or validation.

At least five CVEs and one active malware campaign have been tied to this pattern in the first half of June alone, according to disclosures from Varonis, Obsidian Security, and the ServiceNow Hugging Face team.

Claude Shared Chats Used to Distribute ClickFix Malware

Security researchers have documented a campaign in which hackers hijack Anthropic's Claude Shared Chats feature to lend legitimacy to ClickFix attacks. The attackers create malicious chat threads that appear legitimate, then share them with targets to trick software developers into executing malicious commands. The abuse represents what experts call a sophisticated evolution of supply chain attacks against developer tooling.

• The campaign specifically targets software developers, using Claude chat content as a trust signal.
• Shared Chats are publicly accessible and carry the Claude branding, making them appear safe to targets.
• ClickFix payloads are delivered through commands disguised as troubleshooting steps within the shared chat. Researchers have tracked the technique to at least three known threat groups active since May 2025.

Copilot SearchLeak and LiteLLM Admin Key Exposures

On June 15, Varonis disclosed SearchLeak, a proof-of-concept attack chain against Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL, Copilot searches their mailbox, and the data is exfiltrated through a Bing server-side request forgery (SSRF). No plugins, no second click, and no visible indicator to the user.

Four days earlier, Obsidian Security published a three-CVE chain against LiteLLM, the widely used open-source API proxy for LLMs. The vulnerabilities allowed attackers to hand themselves admin roles and retrieve all stored API keys for any connected model provider, including OpenAI, Anthropic, and Google. Both attacks work because the AI tools treat incoming data as trusted without validating source or intent.

MosaicLeaks: Research Agents Leak Private Data

ServiceNow and the Hugging Face team published a paper on MosaicLeaks, showing that commercial research agents, including browser-based assistants, routinely leak private data when prompted with crafted instructions. The researchers found that agents can be tricked into revealing API tokens, internal documents, and user credentials by embedding hidden prompts in web content the agent is asked to summarize.

All three incidents point to a common fix: AI tools must establish explicit trust boundaries for external inputs, treating shared chats, web content, and search results as untrusted until proven otherwise. Several of the affected platforms have released patches, but the attacks highlight a recurring design blind spot that researchers expect attackers to continue exploiting as AI adoption increases.