OP here. Another interesting attack vector I have been working on is OSC 8 for hyperlink support in terminals. Mostly they allow arbitrary url schemes including "ssh://" without any prompt or user interaction to consent to open an external tool like ssh client in this case.

A good discussion on this: https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3c...