Researchers discovered a critical vulnerability in iTerm2 that allows malicious terminal output to execute code on macOS systems. Even seemingly harmless commands like `cat readme.txt` can trigger the exploit when iTerm2's SSH integration feature is active. The vulnerability stems from how iTerm2 trusts terminal escape sequences from untrusted sources.

The exploit works by forging DCS 2000p hooks and OSC 135 messages that iTerm2 interprets as legitimate conductor communication. When iTerm2 receives these fake sequences, it initiates its normal conductor workflow, including sending getshell() and pythonversion() requests. The attacker-controlled sshargs parameter allows for precise command injection.

The vulnerability was reported on March 30 and fixed in commit a9e745993c2e2cbb30b884a16617cd5495899f86 on March 31. However, the fix has not yet reached stable releases, leaving users vulnerable until they update. Researchers created proof-of-concept exploits demonstrating how everyday terminal commands can become attack vectors.