Overview
Attackers use ANSI terminal escape codes to hide malicious instructions in MCP tool descriptions and outputs, rendering them invisible on screen while the LLM processes them normally. Demonstrated against Claude Code with no filtering or sanitization.
Who Is Affected
Researched by Keith Hoodlet at Trail of Bits. Tested specifically against Anthropic's Claude Code CLI. Affects users of any terminal-based MCP client that renders ANSI escape sequences.
Where It Exists
The vulnerability exists at the intersection of terminal rendering and LLM context processing. ANSI escape codes in tool descriptions are processed by the terminal (making text invisible) but remain in the raw text that the LLM reads.
When It Was Found
Published April 29, 2025. Builds on the Line Jumping Attack disclosed a week earlier, adding a stealth layer using terminal escape sequences.
How It Works
Attackers embed ANSI escape codes (e.g., codes that set text color to match background, or move cursor to overwrite content) in tool descriptions. When displayed in a terminal, the malicious text is invisible. However, the LLM receives the raw text including the hidden instructions. These instructions can suggest downloading packages from malicious servers, planting backdoors, or modifying development environments.
Impact
Even security-conscious users who inspect tool descriptions cannot see the hidden content in terminal displays. This enables supply chain attacks through compromised package suggestions, stealth modification of development environments, and persistent compromise through backdoored dependencies. The attack is particularly dangerous in CI/CD environments using MCP tools.
Mitigation
Strip ANSI escape sequences from all MCP tool descriptions and outputs before display and before LLM processing. Use MCP clients that render descriptions in non-terminal contexts (web UI, plaintext). Implement content security policies for tool descriptions. Audit tool descriptions in raw/hex mode to detect hidden content.