From Indirect Prompt Injection to DNS Exfiltration in macOS Terminal
Summary
Researchers discovered a vulnerability where LLMs (large language models) could be tricked through prompt injection (hiding malicious instructions in data) to emit ANSI escape codes (special terminal control sequences), which macOS Terminal would interpret as commands to make DNS requests (requests that translate domain names to IP addresses) containing stolen data. Apple fixed this behavior in macOS Tahoe 26.1, released November 3, 2025, so the vulnerable escape sequences no longer trigger DNS requests.
Solution / Mitigation
Apple addressed the issue in macOS Tahoe 26.1, released on November 3, 2025. After installing the update, the same escape sequence no longer triggers a DNS request in the Terminal app.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
Original source: https://embracethered.com/blog/posts/2026/macos-terminal-dillma-dns-exfil-ansi-escape-code-fix/
First tracked: July 17, 2026 at 02:01 AM
Classified by LLM (prompt v3) · confidence: 92%